How to Limit Access to Your WordPress Dashboard

Your WordPress dashboard is the command center of your website. Every setting, every piece of content, every plugin lives there. Right now, there might be people with access who shouldn’t have it.

Think of your dashboard like the control room of a power plant. The engineers who monitor the gauges need full access. The maintenance crew needs access to specific systems. Visitors on a facility tour get to look through a window and nothing more. WordPress works the same way. Different people need different levels of access, and if you give everyone the same keys, you create problems you’ll wish you’d prevented.

This guide shows you exactly how to control who sees what in your WordPress backend. You’ll learn three distinct methods: built-in role management, custom code solutions, and plugin-based approaches. Each method includes step-by-step instructions you can follow today.

Your Site’s Security Depends on Who Can Access the Dashboard

WordPress powers 43.4% of all websites on the internet, according to W3Techs, which makes it the most widely used content management system in the world. That popularity comes with a target on its back.

Approximately 13,000 WordPress sites are hacked every single day, with sites faced with malicious attacks every 22 minutes. The numbers get worse when you look at monthly totals: more than 111,000 WordPress sites were hacked in September 2025 alone, even with security plugins installed and updated.

The relevance to dashboard access becomes clear when you examine how these attacks succeed: most attacks used stolen credentials, not software vulnerabilities. Hackers aren’t breaking through walls. They’re walking through doors that were left open.

Every user account with dashboard access represents a potential entry point. A contractor who finished a project six months ago might still have admin credentials. A guest author who only needed to submit one post might still have backend access. A customer on your WooCommerce store might somehow have ended up with more permissions than they should have. Each of these scenarios creates risk.

Beyond security, there’s the practical matter of accidental damage. Clients tinker with theme settings and break their sites. Authors delete plugins they don’t recognize. Team members change configurations without any idea of the consequences. Dashboard access control prevents these situations before they happen.

The Six Default User Roles and What Each One Can Actually Do

WordPress includes six pre-defined roles, not five. Most guides miss the Super Admin role because it only appears in multisite installations, but if you understand all six, you can make informed decisions.

According to the official WordPress.org documentation, WordPress has six pre-defined roles: Super Admin, Administrator, Editor, Author, Contributor, and Subscriber. Each role is allowed to perform a set of tasks called Capabilities.

Super Admin

This role exists only on multisite networks, which are installations where multiple WordPress sites share a single database. Super Admins control the entire network. They can add or remove individual sites, install plugins and themes that affect all sites, and manage users across every site in the network. On a standard single-site WordPress installation, you won’t see this role at all.

Administrator

Administrators have complete control over a single WordPress site. They can install and delete plugins, change themes, create and remove user accounts, modify any setting, and access every piece of content. On most websites, only one or two people should have this role, typically the site owner and possibly a trusted developer.

The Administrator role includes the “manage_options” capability, which WordPress uses internally to determine who can access site settings. This capability becomes important when you write code to restrict dashboard access.

Editor

Editors manage content without access to site configuration. They can create, edit, publish, and delete any post or page on the site, and that includes content created by other users. They moderate comments and manage categories and tags. Editors cannot install plugins, change themes, or access site settings.

This role works well for content managers on blogs, news sites, and publications. The Editor handles the editorial workflow while the Administrator handles the technical side.

Author

Authors control their own content and nothing else. They can write posts, edit their own posts, publish their own posts, and upload files to the media library. They cannot modify content created by other users or access any site settings.

For multi-author blogs, this role prevents writers from seeing each other’s unpublished drafts or changing published content they didn’t create.

Contributor

Contributors write content but cannot publish it. They submit posts for review, and an Editor or Administrator must approve the content before it goes live. Contributors also cannot upload files to the media library.

This role suits guest writers, interns, or anyone whose content needs review before publication.

Subscriber

Subscribers have the least access of any role. They can log in, read published content, and manage their own profile. Nothing more.

Most sites use the Subscriber role as the default for new registrations. On membership sites, forums, and community platforms, this prevents new users from areas they shouldn’t see.

Roles and Capabilities Are Two Different Things

If you understand this distinction, you can write better code and choose better plugins for access control.

WordPress uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. A role is a collection of capabilities. A capability is a single permission, like “edit_posts” or “manage_options” or “publish_pages.”

When you check whether a user can do something in WordPress, you’re really checking whether their role includes a specific capability. The Administrator role includes the “manage_options” capability. The Editor role includes “edit_others_posts” but not “manage_options.” The Subscriber role includes only “read.”

This matters because the best practice for access control is to check capabilities rather than role names. A plugin might create a custom role called “Shop Manager” with some administrative capabilities. Code that checks for the Administrator role would block Shop Managers even if they should have access. Code that checks for a specific capability like “manage_options” makes the right decision regardless of what the role is named.

Method One: Built-in Role Management Without Plugins or Code

The fastest approach requires no plugins, no code, and no technical knowledge. WordPress gives you two simple controls: what role new users receive by default, and what role existing users currently have.

How to Set the Default Role for New Registrations

When someone creates an account on your site, WordPress assigns them a role automatically. The setting lives in a place most people never check.

1. Log in to your WordPress dashboard
2. Go to Settings in the left sidebar
3. Select General
4. Scroll down to find “New User Default Role”
5. Change this to Subscriber (or whatever role you want new users to have)
6. Save your changes

This single change prevents new accounts from more access than necessary. On membership sites, e-commerce stores, and any site with public registration, this setting should always be Subscriber unless you have a specific reason to give new users more access.

How to Review and Adjust Existing User Accounts

Old accounts accumulate over time. The developer who helped you three years ago might still have admin access. The marketing agency you stopped working with might still have editor credentials. The friend who said they’d write some blog posts but never did might still have author permissions. Each of these accounts might still have access they no longer need.

1. Go to Users in the left sidebar
2. Select All Users
3. Look at the Role column for each account
4. Click the username of any account that needs adjustment
5. Scroll down to the Role dropdown
6. Select the appropriate role
7. Click Update User

Schedule this review quarterly. People change roles, projects end, relationships shift. Access that made sense in January might not make sense in July.

When Built-in Roles Handle Everything You Need

Role management alone handles most straightforward situations. If your site has a few authors who write posts and an editor who reviews them, the default roles work perfectly. You don’t need plugins or code.

Role management falls short when you need to redirect users who try to access restricted areas, hide the admin toolbar from logged-in users on the frontend, or create custom roles with specific capability combinations. For those needs, move to Method Two or Method Three.

Method Two: Custom Code That Restricts Dashboard Access

Code solutions work well for membership sites, online courses, and any platform where regular users shouldn’t see the WordPress backend at all. Instead of an error message, code can redirect restricted users to a page you choose, like a member portal, account page, or homepage.

The Safe Way to Add Custom Code to WordPress

Never add code directly to your theme’s functions.php file. Theme updates will delete your changes, and a syntax error can crash your entire site with no easy recovery.

Two safer options exist.

Use a Code Snippets Plugin

The WPCode plugin (formerly Insert Headers and Footers) provides a safe environment for custom code. It survives theme updates, checks for errors before activation, and lets you disable code easily if something goes wrong.

1. Go to Plugins then Add New
2. Search for “WPCode”
3. Install and activate the plugin
4. Go to Code Snippets then Add Snippet
5. Select “Add Your Custom Code (New Snippet)”
6. Paste your code
7. Set the code type to PHP
8. Toggle the snippet to Active
9. Save

Use a Child Theme

If you understand child themes, add code to your child theme’s functions.php file. The parent theme can update without any effect on your customizations. This approach requires more technical knowledge but keeps everything in theme files.

The Code That Redirects Non-Administrators to Your Homepage

add_action('admin_init', 'redirect_non_admin_users', 1);
function redirect_non_admin_users() {
    if (!current_user_can('manage_options') && !(defined('DOING_AJAX') && DOING_AJAX)) {
        wp_safe_redirect(home_url());
        exit;
    }
}

This code performs four specific functions.

First, it hooks into admin_init, which fires early in the dashboard load process. This means restricted users get redirected before they see any dashboard content.

Second, it checks the manage_options capability rather than a specific role name. Only Administrators and Super Admins have this capability by default. This approach handles custom roles correctly.

Third, it makes an exception for AJAX requests. Many frontend features, such as contact forms, live search, and dynamic content, use WordPress AJAX. Without this exception, those features would break.

Fourth, it uses wp_safe_redirect() instead of wp_redirect(). The safe version validates the destination URL against a list of allowed hosts, which prevents potential redirect vulnerabilities.

How to Send Users to a Custom Page Instead of the Homepage

Change home_url() to any URL you want:

add_action('admin_init', 'redirect_non_admin_users', 1);
function redirect_non_admin_users() {
    if (!current_user_can('manage_options') && !(defined('DOING_AJAX') && DOING_AJAX)) {
        wp_safe_redirect('https://yoursite.com/members-area/');
        exit;
    }
}

Membership sites typically redirect to a member dashboard. E-commerce stores redirect to the account page. Course platforms redirect to the student portal. Pick whatever destination makes sense for your users.

How to Allow Editors Access While You Block Everyone Else

Adjust the capability check to edit_others_posts, which Editors, Administrators, and Super Admins all have:

add_action('admin_init', 'redirect_non_editor_users', 1);
function redirect_non_editor_users() {
    if (!current_user_can('edit_others_posts') && !(defined('DOING_AJAX') && DOING_AJAX)) {
        wp_safe_redirect(home_url());
        exit;
    }
}

How to Hide the Admin Toolbar from Restricted Users

The WordPress admin bar appears at the top of every page for logged-in users. Even if you block dashboard access, users still see this bar unless you hide it:

add_action('after_setup_theme', 'hide_admin_bar_for_restricted_users');
function hide_admin_bar_for_restricted_users() {
    if (!current_user_can('edit_posts')) {
        show_admin_bar(false);
    }
}

This hides the toolbar from anyone who can’t edit posts, which includes Subscribers and custom roles without that capability.

Method Three: Plugins That Give You Flexible Access Control

Plugins provide the easiest solution for beginners and offer features that would require significant custom code to replicate. The trade-off is dependency on a third-party developer for updates and compatibility.

The Remove Dashboard Access Plugin and How to Set It Up

The Remove Dashboard Access plugin has 30,000+ active installations and maintains a 4.6-star rating. TrustedLogin has maintained the plugin since April 2022, with the most recent update in November 2024 that confirmed compatibility with WordPress 6.7.

Installation:

1. Go to Plugins then Add New
2. Search for “Remove Dashboard Access”
3. Find the plugin by TrustedLogin (formerly Drew Jaynes)
4. Install and activate

Configuration:

1. Go to Settings then Dashboard Access
2. Under “Dashboard User Access,” choose who can access the dashboard:
   • Administrators only
   • Editors and Administrators
   • Authors, Editors, and Administrators
   • Or specify a custom capability
3. Enter a Redirect URL where restricted users land when they try to access the dashboard
4. Decide whether to allow profile access so users can edit their own profile but nothing else
5. Optionally add a login screen message that explains the access restriction
6. Save your settings

The plugin handles AJAX exceptions automatically, so frontend features continue to work without additional configuration.

Alternative Plugins for Different Needs

User Role Editor has over 700,000 active installations and provides comprehensive role management. You can modify default roles, create entirely new roles, and assign capabilities individually. Use this plugin when the built-in roles don’t match your needs, for example, if you want Authors to publish pages in addition to posts.

Members maintains a 4.9-star rating with 300,000+ active installations. Beyond role editing, Members handles content permissions, so you can restrict specific posts or pages to specific roles. This works well for membership sites where different membership levels access different content.

PublishPress Capabilities adds controls specific to the block editor. If you need to restrict which blocks authors can use or which settings they can access in Gutenberg, this plugin fills that gap.

WooCommerce Stores Have Specific Requirements for Customer Access

WooCommerce adds two roles to your site: Customer and Shop Manager. The Customer role gets assigned automatically to anyone who creates an account during checkout.

The Built-in WooCommerce Setting for Dashboard Access

WooCommerce includes its own dashboard access restriction:

1. Go to WooCommerce then Settings
2. Select the Accounts & Privacy tab
3. Look for account-related settings
4. WooCommerce automatically restricts Customers from wp-admin

When this works correctly, Customers who try to visit /wp-admin/ get redirected to the My Account page instead.

What to Do When WooCommerce Customers Still Reach the Dashboard

Some themes and plugins override WooCommerce’s default behavior. If customers reach the dashboard despite the WooCommerce setting:

1. Check for plugins that modify user access or redirects
2. Test with a default theme like Twenty Twenty-Four to isolate theme conflicts
3. Use the code method as a backup:

add_action('admin_init', 'redirect_woocommerce_customers', 1);
function redirect_woocommerce_customers() {
    if (current_user_can('customer') && !current_user_can('edit_posts') && !(defined('DOING_AJAX') && DOING_AJAX)) {
        wp_safe_redirect(wc_get_page_permalink('myaccount'));
        exit;
    }
}

This sends Customers specifically to the WooCommerce My Account page, which handles orders, downloads, addresses, and account settings in a frontend interface.

Security Measures That Work Alongside Dashboard Access Control

Access control is one layer of protection. These additional measures strengthen your overall security posture.

Two-Factor Authentication Stops Attacks That Use Stolen Passwords

WeWatchYourWebsite’s latest data reveals that most attacks used stolen credentials rather than software vulnerabilities. Two-factor authentication (2FA) requires both a password and a temporary code from an app or device, which makes stolen passwords useless.

Recommended plugins for 2FA include WP 2FA by Melapress, which supports TOTP apps, email codes, and passkeys. Wordfence Login Security provides TOTP and reCAPTCHA protection. Solid Security offers multiple 2FA methods plus passwordless login options.

Apply 2FA to all Administrator and Editor accounts at minimum.

wp-config.php Settings That Add Another Layer of Protection

Add these lines to your wp-config.php file (in your WordPress root directory) for extra security:

define('DISALLOW_FILE_EDIT', true);

This removes the Theme Editor and Plugin Editor from the dashboard. Even Administrators can’t edit code through the dashboard after you add this line, and all changes require FTP or hosting file manager access.

define('FORCE_SSL_ADMIN', true);

This forces HTTPS for all dashboard access, which encrypts communication between browsers and your dashboard.

Why You Need to Keep Plugins and Themes Updated

In 2024, Patchstack’s researchers and bug bounty hunters found 4,166 new security vulnerabilities in plugins, themes, or WordPress Core. Outdated plugins are one of the primary attack vectors for WordPress sites.

Set up automatic updates for minor WordPress releases and security patches. Review major updates on a staging site before you apply them to production.

Common Problems and How to Fix Them

What to Do If You Locked Yourself Out of the Dashboard

This happens when redirect code affects everyone, and that includes you. Three recovery methods exist.

Access files through FTP or your hosting file manager:

1. Connect to your site via FTP or open File Manager in your hosting panel
2. Go to wp-content/themes/your-active-theme/
3. Open functions.php
4. Remove or comment out the redirect code
5. Save the file

If you used a code snippets plugin, go to wp-content/plugins/ and rename the plugin folder to disable it.

Access the database through phpMyAdmin:

1. Open phpMyAdmin from your hosting control panel
2. Find the wp_options table
3. Locate the “active_plugins” row
4. Edit the value to remove the problematic plugin

This method requires database knowledge and carries risk if done incorrectly.

Use WordPress recovery mode:

If WordPress detected a fatal error, check your email for a recovery link. This link provides temporary access to disable problematic code.

What to Do If Frontend Features Stopped After You Added Redirect Code

The likely cause is a missing AJAX exception. WordPress uses AJAX for contact forms, live search, infinite scroll, and many other frontend features.

Confirm your code includes this condition:

!(defined('DOING_AJAX') && DOING_AJAX)

Without this check, AJAX requests get redirected, which breaks frontend functionality.

What to Do If Multiple Access Control Plugins Create Conflicts

If you run multiple plugins that control the same functionality, you get unpredictable behavior. Symptoms include redirects that don’t work, unexpected access grants, or error messages.

Test this: deactivate all access-related plugins, then activate them one at a time. Identify which combination causes the conflict, then choose one primary solution rather than layered multiple approaches.

Practical Scenarios and the Best Approach for Each

Membership Sites

Block all non-admin users from wp-admin entirely. Redirect them to a member dashboard on the frontend. Hide the admin toolbar. Use the code method or Remove Dashboard Access plugin.

Multi-Author Blogs

Use built-in roles. Authors see only their own posts. Editors manage all content. Administrators handle technical settings. Add PublishPress Capabilities if you need to restrict categories or block types.

Client Websites

Create limited access for clients with a plugin like User Role Editor. Remove access to theme settings, plugin management, and site configuration. Let clients update content without any risk to site stability.

WooCommerce Stores

Start with WooCommerce’s built-in customer access settings. Test thoroughly with a customer account. Add code or plugins only if the built-in settings don’t work correctly with your theme.

The Best Approach Depends on Your Specific Situation

Simple blogs with few users need only built-in role management. Membership sites and course platforms benefit from code-based redirects. Agency-managed client sites work best with specialized plugins.

Whatever approach you choose, test it thoroughly. Create a test account with restricted permissions and verify the experience matches your expectations. Try to access the dashboard directly through /wp-admin/. Check that frontend features still work. Confirm the redirect destination makes sense for your users.

Security and user experience work together here. Your restricted users should land somewhere helpful rather than see an error. Your administrative users should access everything they need without friction. The methods in this guide achieve both goals when you implement them thoughtfully.