Block WordPress Admin Menu Items

Block WordPress admin menu items which offer extended functionality unneeded to current user – it’s possible with the help of User Role Editor Pro additional module. WordPress manages access to its administrator menu items by user capabilities. For example to use “Appearance” menu user should have ‘edit_theme_options’ or ‘switch_themes’ capabilities, to access “Settings” menu – ‘manage_options’ capability. You may manage this access with “User Role Editor” adding/removing capabilities to/from the roles or working directly with users. But what to do if you need to allow to user access to “Menus” item of “Appearance” submenu, but do not give him access to the “Widgets” from the same submenu? We can not do it via user capabilities as both menu items are managed by the same “edit_theme_options” user capability.
User Role Editor Pro includes “Administrator menu access” module which allows you block menu items for selected role turning on correspondent checkboxes, just like you do with user capabilities editing user role.

In order to use “Administrator menu access” module you need to activate it. Go to “User Role Editor” Options page and turn on “Activate Administrator Menu Access module” option at the “Additional Modules” tab:

admin menu access add-on activation
Admin menu access add-on activation

After that you will see new button “Admin Menu” at User Role Editor Pro toolbar (open “Users->User Role Editor” page and look to the right:

admin menu button
Admin menu button

Click on “Admin Menu” button to see the list of WordPress backend menu items available for currently selected role:

Admin menu for selected role
Admin menu for selected role

Turn on checkboxes for menu items, which you wish to block for currently selected role, and click “Update” button.
As the result user with that role will not see blocked menu items and even can not access them directly inserting into browser corresponding URL.

If you wish to see full list of administrator menu items open “Admin menu” for the “Administrator” role.
There is no sense to block menu items for administrator. So checkboxes are unavailable here. It is a very good start point for WordPress menu user permissions study and research. You may use “Admin Menu” dialog here as the reference for your work with roles and capabilities as “Admin Menu” shows what user capability restricts access to what admin menu item including menu items added by active plugins.

Some plugins use own user capabilities, some plugins use one from WordPress built-in capabilities, like ‘manage_options’, ‘edit_posts’, etc.

The 1st step is to look what capabilities plugin uses to protect its menu. Open “Admin menu” for the ‘Administrator’ role, find needed menu item and look to the ‘User Capability’ column.
If you don’t wish a role has access to this menu, revoke from it the related user capabilities. If you can not revoke some capabilities as they are needed for access to other menu items, like ‘edit_posts’ then block unneeded menu items with “Admin menu access” add-on.
Similar if you need to provide to a role access for some menu item – grant to it the related user capabilities. Then check if it get access to unneeded menu items (like in case when you grant ‘manage_options’ capability) and block unneeded menu items with “Admin menu access” add-on.

Example how to provide access to the plugin menu prohibited by “manage_options” capability (e.g. “Statistics” from WP Statistics plugin) but do now allow access to the “Settings” or other menus is available here.
Example for blocking access to selected items of WooCommerce menu is published at this post.

Technical details

When you select a menu item to be blocked, URE hides this menu item and blocks the URL assigned to it. Any try to use blocked URL leads to the automatic redirection to URL, assigned to the 1st available (not blocked) menu item.

Block not selected

When we work with ‘Block not selected’ model – all URLs from the main admin menu except apparently selected become blocked. Use ‘block not selected’ model carefully. URE compares full list of URL arguments when checks URL availablity.
For example: WooCommerce “Products” menu link is :

/wp-admin/edit.php?post_type=product

and you allowed it using “Block not selected model”. User can access this URL and open products list. But when restricted user will try to search product via “Search field” WordPress uses this URL:

wp-admin/edit.php?s=test&post_status=all&post_type=product&action=-1&product_cat&product_type&stock_status&paged=1&action2=-1

which (take into account full list of parameters) is not listed between selected URLs and thus will be blocked. This is a reason why user would be redirected to the 1st available menu link, most probably – admin dashboard.
There are 2 ways to resolve such issue:
– Use more flexible “Block selected” mode for “Admin menu” role settings.
– If the 1st way is not suitable, and you wish to use “Block not selected” mode, use “URL Parameters White List” extension. It allows to inform URE about URL parameters which you allow to use for not blocked links/menu items.

Multipe roles

Combining “Admin menu access” data from multiple roles assigned to the same user, you have to take into account this logic:
– assigned restrictions take effect in the assigned roles order. Admin menu blocking data from the 1st (primary) role takes effect always;
– data from the rest roles are taking into account only if they use the same blocking model. For example, if the 1st role has ‘block selected’ model, but the 2nd role has ‘block not selected’ model, the 2nd role ‘admin menu access’ data is ignored.
– ‘admin menu access’ data from other roles with the same blocking model are added to the data from the 1st role.

Share