Block iThemes Security Pro plugin admin menu

This article describes how to block iThemes Security Pro (ISP) plugin “Security” admin menu.

If you granted ‘manage_options’ capability to some role A, it will automatically get access to the “Security” admin menu, which belongs to ISP plugin. If you don’t wish role A manages site security settings, but you can not revoke ‘manage_options’ capability from it, you will try to block this menu via User Role Editor Pro “Admin menu access” add-on. But you will meed with a strange thing here – while the “Security” menu is definitely available for a role, you don’t see it at the list of admin menu items available for blocking at the “Admin menu” dialog. This issue was discovered and all code examples below are taken from ISP plugin, version 6.8.1.

Let’s look why it’s happening. 1st, let’s open “Admin menu” for the ‘Administrator’ role and scroll it down to the ‘Security’ menu and look what user capability protects it – ‘itsec_manage’. Does ‘itsec_manage’ capability exist or is it granted to the role A? No. This explains why “Security” menu is not visible in the “Admin menu” dialog for role A.

Let’s investigate how the plugin uses ‘itsec_manage’ capability. Just use grep utility to search for the ‘itsec_manage’ keyword through the ISP plugin source code. Pay attention on the line #189 highlighted by the white color. After looking directly into the code of the ISP plugin, ithemes-security-pro/core/core.php at the public method user_has_cap() it becomes clear that under some conditions the ISP plugin automatically grants ‘itsec_manage’ capability to the users who can ‘manage_options’ or ‘manage_network_options’ under WordPress multisite. This explains why role A with ‘manage_options’ has access to the “Security” menu without having ‘itsec_manage’ capability.

1st quick workaround is to add ‘itsec_manage’ capability and grant it to the role A. It will resolve the issue when “Security” menu is not available for blocking at the URE Pro “Admin menu” dialog. But I do not recommend this solution for 2 important reasons:
– We do not plan to grant real access to the ISP plugin for the role A. Thus we should not extend its permissions.
– The ISP plugin still directly uses ‘manage_options’ capability.

Thus, as ‘itsec_manage’ capability still does not cover full permissions to the ISP plugin, let’s do not use it.

Looking at the ISP plugin admin menu definition code I found that it’s possible to redefine ‘itsec_manage’ capability via custom filter.

When look how $capability variable is defined, I found itsec_required_cap custom filter, which allows to build the final solution. So, using this filter we can redefine user capability for “Security” admin menu back to the ‘manage_options’. It will resolve the issue when “Admin menu” dialog does not show “Security” menu as available for blocking for role A.

Code is below:

// iThemes Security Pro - replace virtual user capability 'itsec_manage' with the really used 'manage_options'
add_filter('itsec_cap_required', 'replace_itsec_cap', 10, 1 );
function replace_itsec_cap( $itsec_cap ) {
    $itsec_cap = is_multisite() ? 'manage_network_options' : 'manage_options';
    return $itsec_cap;

Insert it into your active theme functions.php file or setup it as a Must Use plugin.
“Security” admin menu with be directly protected by ‘manage_options’ capability instead of unexisting ‘itsec_manage’ one.
It’s possible to block it for the role A if your need that.