Remove Dashboard Access
| 开发者 |
DrewAPicture
TrustedLogin |
|---|---|
| 更新时间 | 2026年5月23日 03:01 |
| 捐献地址: | 去捐款 |
| PHP版本: | 5.3 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
The easiest and safest way to restrict access to your WordPress site's Dashboard and administrative menus. Remove Dashboard Access is a lightweight plugin that automatically redirects users who shouldn't have access to the Dashboard to a custom URL of your choosing. Redirects can also be configured on a per-role/per-capability basis, allowing you to keep certain users out of the Dashboard, while retaining access for others.
- Limit Dashboard access to user roles:
- Admins only
- Admins + editors
- Admins, editors, and authors
- or restrict by specific user capability
- Choose your own redirect URL
- Optionally allow users to edit their profiles
- Display a message on the login screen so users know why they're being redirected
- Allow specific admin pages through the redirect — paste a list of URLs your customers should still be able to reach (with wildcard support for grouping related pages)
- Optionally extend the block to
admin-ajax.phprequests for stricter lockdown
- Supply a message to display on the login screen. Leaving this blank disables the message.
* as a wildcard inside a query value to match a whole group of pages at once. For example, ?page=tl-* allows tl-secrets, tl-config, and any other page whose slug starts with tl-.
Optionally block AJAX requests too:
By default this plugin doesn't touch requests to admin-ajax.php — most WordPress sites rely on those for legitimate frontend AJAX. If you'd rather the dashboard restriction apply there as well, turn on the "Also block AJAX" checkbox in the Advanced section of the settings page.
安装:
- Search 'Remove Dashboard Access' from the Install Plugins screen.
- Install plugin, click Activate.
屏幕截图:
常见问题:
What happens to disallowed users who try to access to the Dashboard?
Users lacking the chosen capability or role(s) will be redirected to the URL set in Settings > Dashboard Access.
Why haven't you added an option to disable the WordPress Toolbar?
The Toolbar contains certain important links (even for disallowed users) such as for accessing to the profile editor and/or logging out. Plus, there are many plugins out there for disabling the Toolbar if you really want to.
Can I disable the redirection/profile-editing controls without disabling the plugin?
No. Disable the plugin if you don't wish to leverage the functionality.
How do I hide other plugins/themes' Toolbar menus?
- Remove Dashboard Access removes some built-in WordPress Toolbar menus by default, but can be extended to hide menus from other plugins or themes via two filters:
rda_toolbar_nodes(viewing from the admin), andrda_frontend_toolbar_nodes(viewing from the front-end).
How do I find the menu (node) id?
- In the HTML page source, look for the
<li>container for the menu node you're targeting. It should take the form of<li id="wp-admin-bar-SOMETHING"> - In
<li id="wp-admin-bar-SOMETHING">, you want the "SOMETHING" part.
How can I allow access to specific pages of the Dashboard?
The function returns an associative array with $pagenow as the key and a nested array of key => value pairs where the key is the $_GET parameter and the value is the allowed value.
Example: If you want to allow a URL of admin.php?page=EXAMPLE, there are three parts to know:
- The
$pagenowglobal value (tools.phpin this case) - The
$_GETkey (pagein this case) - The
$_GET value (EXAMPLE in this case)
- Allow users to access a page with a URL of tools.php?page=EXAMPLE
- @param array $pages Allowed Dashboard pages.
- @return array Filtered allowed Dashboard pages. */ function wpdocs_allow_example_dashboard_page( $pages ) {
?page=EXAMPLE combination to the allowed parameter set for that page.
$pages['tools.php'][] = array(
'page' => 'EXAMPLE'
);
return $pages;
}
add_filter( 'rda_allowlist', 'wpdocs_allow_example_dashboard_page' );
`
How can I filter the disallowed Toolbar nodes on the front-end?
` /**
- Filter hidden Toolbar menus on the front-end.
- @param array $ids Toolbar menu IDs.
- @return array Filtered front-end Toolbar menu IDs. */ function wpdocs_hide_some_toolbar_menu( $ids ) { $ids[] = 'SOMETHING'; return $ids; } add_filter( 'rda_frontend_toolbar_nodes', 'wpdocs_hide_some_toolbar_menu' ); Common plugin Toolbar menus and their ids:
- Jetpack by WordPress.com (notifications) – 'notes'
- WordPress SEO by Yoast – 'wpseo-menu'
- W3 Total Cache – 'w3tc'
How do I enable Debug Mode?
To view debugging information on the Settings > Reading screen, visit:
example.com/options-general.php?page=dashboard-access&rda_debug=1
Can I contribute to the plugin?
Yes! This plugin is in active development on GitHub. Pull requests are welcome!
Is the plugin GDPR compliant?
Yes. The plugin does not collect any personal data, nor does it set any cookies.
更新日志:
1.3.1 on May 22, 2026
This release adds the missing
License headers that the wordpress.org plugin reviewer flagged during the 1.3.0 import. No functional change.
🐛 Fixed
- Added the
License: GPLv2 or laterandLicense URI: https://www.gnu.org/licenses/gpl-2.0.htmlheaders toreadme.txtand normalized the plugin file'sLicense:header to the same canonical form. The plugin has always been GPLv2-licensed; the headers were just missing from the locations wordpress.org's plugin directory parses.
- Allowed URLs — A new textarea on the Dashboard Access settings page where you can paste any URLs that should skip the dashboard redirect, one per line. Useful for letting customers reach a specific admin page (like a payment confirmation or a TrustedLogin secret-share screen) without giving them the rest of the dashboard.
- Wildcards in Allowed URLs — Use
*inside a query value to match a group of pages at once. For example,?page=tl-*lets throughtl-secrets,tl-config, and any other page slug that starts withtl-. - Also block AJAX — A new checkbox in the Advanced section to extend the dashboard restriction to
admin-ajax.phprequests too. Most sites should leave this off; turn it on only if you know your AJAX endpoints rely on this plugin to keep them gated. - Advanced section — The settings page now has two clear groups: the everyday Dashboard Access Controls at the top, and an Advanced section below for AJAX blocking and the Allowed URLs list. Easier to scan, less intimidating for new users.
- The settings page now validates the capability values you save. A typo, empty value, or unknown capability can no longer be saved and silently disable the dashboard restriction.
- The disallowed-user redirect uses WordPress's safer
wp_safe_redirect(). Your configured redirect URL still works, including external destinations — but accidental redirects to other hosts are now blocked. - When you add an
admin.php?page=…entry to the allow-list, the plugin now confirms the page is actually registered by another plugin before letting visitors through.
admin-post.phpis now reachable as the 1.2.2 release notes promised. It had been quietly blocked despite the documentation saying it should be exempt.- Two-step admin flows on allow-listed pages — like Wordfence Login Security's 2FA OTP step — no longer get rejected just because the request carries extra query parameters.
- Translations from translate.wordpress.org will now actually load on your site. The plugin's text domain didn't match the WordPress.org slug, so community-submitted translations (including zh_TW) were silently being dropped. Thanks to Alex Lion (阿力獅) (@alexclassroom) for surfacing this and contributing the fix.
- A handful of strings that weren't translatable before — most notably the screen-reader hint on the Login Message link — are now translatable.
- The uninstall script only runs when WordPress is actually uninstalling the plugin, not on stray requests to its file.
- Text domain renamed from
remove_dashboard_accesstoremove-dashboard-access-for-non-adminsto match the WordPress.org slug. If you maintain custom.po/.mofiles in/languages/, rename them to use the new domain. - New
rda_strict_ajaxfilter mirrors the "Also block AJAX" setting for code-level control on a per-site basis. - The existing
rda_allowlistfilter still works; entries now support*wildcards inside query values. - New unit test suite using
@wordpress/scripts+wp-env+ PHPUnit. Run locally withnpm test.
- Fixed: Compatibility with WordPress 6.8
_load_textdomain_just_in_timewarning - Fixed: The plugin prevented
admin-post.phpfrom being accessible, which broke some expected functionality (thanks @brambil)
- Fixed: Compatibility with WordPress 6.7 (there was a warning that translations were being loaded too soon)
- Tweak: Sanitized admin menu URL
- Confirmed compatibility with WordPress 6.4.2
- New: Added a new filter,
rda_allowlist, to configure pages that should be accessible to all users, regardless of their capabilities or roles (see FAQ for usage) - Improved: Added a description that clarifies that the Login Message is only displayed on the WordPress "Log In" screen
- Improved: The User Profile Access text is now a proper label for the checkbox
- Fixed: Allow access to the Wordfence 2FA configuration page (#33)
- Fixed: Text domain not properly set for translations (thanks @fierevere)
- Tweak: Prevent directly accessing PHP files by checking for
ABSPATH(#26) - Tweak: Prevent browsing directories on poorly-configured servers by adding
index.phpfiles in plugin directories
- Fixed: Deactivating and activating the plugin will no longer overwrite plugin settings
- Fixed: Deprecated function
screen_icon()warning - Fixed: Issue when front-end editing of profiles when the
$pagenowglobal is not defined (#24) - Fixed: Potential
Invalid argument supplied for foreach()PHP warning (#22)
- Fixed a compatibility issue with bbPress and the media grid view.
- Bump tested-up-to to 4.1.0
- Miscellaneous readme changes.
- Move options back to Settings > Dashboard Access screen to resolve conflict with page_on_front UI.
- Instantiate as a static instance for better modularity
- Move Dashboard Access Controls settings to Settings > Dashboard Access
- Add optional login message option
- Add better settings sanitization
- New Filter:
rda_default_caps_for_role- Filter default roles for Admins, Editors, and Authors - New Debug Mode
- Remove unnecessarily stringent URL mask on the redirect URL option
- Complete rewrite!
- New: Limit dashboard access for Admins only or by capability
- New: Allow/disallow edit-profile access
- New: Choose your own redirect URL
- New Filter:
rda_default_access_cap- Change default access capability - New Filter:
rda_toolbar_nodes- Filter which back-end Toolbar nodes are hidden - New Filter:
rda_frontend_toolbar_nodes- Filter which front-end Toolbar nodes are hidden
- Refined DOING_AJAX check for logged-out users, props @nacin and @BoiteAWeb
- Changed cap to manage_options, replaced PHP_SELF with DOING_AJAX
- Replaced preg_match with admin-ajax test. Added compatibility with rewritten dashboard URLs.
- Submitted to repository