Block iThemes Security Pro plugin admin menu

This article describes how to block iThemes Security Pro (ISP) plugin “Security” admin menu.

If you granted ‘manage_options’ capability to some role A, it will automatically get access to the “Security” admin menu:

Security admin menu
Security admin menu

which belongs to ISP plugin. If you don’t wish role A manages site security settings, but yo can not revoke ‘manage_options’ capability from it, you will try to block this menu via User Role Editor Pro “Admin menu access” add-on. But you will meed with a strange thing here – while the “Security” menu is definitely available for a role, you don’t see it at the list of admin menu items available for blocking at the “Admin menu” dialog. This issue was discovered and all code examples below are taken from ISP plugin, version 6.8.1.

Let’s look why it’s happening. 1st, let’s open “Admin menu” for the ‘Administrator’ role and scroll it down to the ‘Security’ menu and look what user capability protects it:

security admin menu default capability
Security admin menu default capability

Does ‘itsec_manage’ capability exist or is it granted to the role A? No. This explains why “Security” menu is not visible in the “Admin menu” dialog for role A.

Let’s investigate how the plugin uses ‘itsec_manage’ capability. Just use grep utility to search for the ‘itsec_manage’ keyword through the ISP plugin source code:

itsec_manage capability usage
itsec_manage capability usage

Pay attention on the line #189 highlighted by the white color. After looking directly into the code of the ISP plugin, ithemes-security-pro/core/core.php at the public method user_has_cap() it becomes clear that under some conditions the ISP plugin automatically grants ‘itsec_manage’ capability to the users who can ‘manage_options’ or ‘manage_network_options’ under WordPress multisite. This explains why role A with ‘manage_options’ has access to the “Security” menu without having ‘itsec_manage’ capability.

1st quick workaround is to add ‘itsec_manage’ capability and grant it to the role A. It will resolve the issue when “Security” menu is not available for blocking at the URE Pro “Admin menu” dialog. But I do not recommend this solution for 2 important reasons:
– We do not plan to grant real access to the ISP plugin for the role A. Thus we should not extend its permissions.
– The ISP plugin still directly uses ‘manage_options’ capability.

ISP manage_options direct usage
ISP manage_options direct usage

Thus, as ‘itsec_manage’ capability still does not cover full permissions to the ISP plugin let’s do not use it.

Looking at the ISP plugin admin menu definition code I found that it’s possible to redefine ‘itsec_manage’ capability via custom filter:

ISP admin menu definition
ISP admin menu definition

When look how $capability variable is defined, I found itsec_required_cap custom filter, which allows to build the final solution:

get_required_cap
get_required_cap() definition

So, using this filter we can redefine user capability for “Security” admin menu back to the ‘manage_options’. It will resolve the issue when “Admin menu” dialog does not show “Security” menu as available for blocking for role A.

Code is below:

// iThemes Security Pro - replace virtual user capability 'itsec_manage' with the really used 'manage_options'
add_filter('itsec_cap_required', 'replace_itsec_cap', 10, 1 );
function replace_itsec_cap( $itsec_cap ) {
    $itsec_cap = is_multisite() ? 'manage_network_options' : 'manage_options';
 
    return $itsec_cap;
}

Insert it into your active theme functions.php file or setup it as a Must Use plugin.
“Security” admin menu with be directly protected by ‘manage_options’ capability instead of unexisting ‘itsec_manage’ one:

isp security manage options
ISP Security menu with manage_options

and it will be possible to block it for the role A if your need that.

Share