Restricting Access to the WordPress Admin Area

To restrict access to the WordPress admin area, you can use a combination of user role management, plugins, IP address restrictions, and custom code. The most common and effective methods include:

1. User Role Management:
   Assign appropriate user roles to limit access. For example, only users with the Administrator role should have full admin access, while others can be assigned roles like Editor, Author, Contributor, or Subscriber, which have progressively fewer privileges and limited or no dashboard access.

2. Plugins for Restricting Admin Access:

   • Controlled Admin Access: Allows you to create temporary limited admin accounts with access only to selected admin pages and set expiration times for these accounts.
   • Remove Dashboard Access: Lets you restrict dashboard access by user roles and redirect unauthorized users to a different URL.
   • Shield Security PRO: Adds an extra layer of admin access control, including two-factor authentication and admin access pins, enhancing security beyond basic restrictions.

3. Restrict Access by IP Address:
   You can restrict access to the wp-admin area by allowing only specific IP addresses via the .htaccess file on Apache servers. This method is highly secure but requires a static IP or a known range of IPs to avoid locking yourself out.

4. Custom PHP Code:
   Adding code to your theme’s functions.php file can redirect non-administrators away from the admin area, effectively blocking their access to the backend. Example code snippet:

   add_action( 'init', 'blockusers_init' );
   function blockusers_init() {
       if ( is_admin() && ! current_user_can( 'administrator' ) && ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
           wp_redirect( home_url() );
           exit;
       }
   }
   

5. Additional Security Measures:

   • Password-protect the wp-admin directory for an extra authentication layer.
   • Use two-factor authentication plugins to secure login.
   • Automatically log out idle users to prevent unauthorized access if a session is left open.

These methods can be combined depending on your security needs. For example, use role management for basic access control, add a plugin for fine-grained restrictions, and enforce IP restrictions or password protection for sensitive environments.

If you want a simple start, assigning correct user roles and installing a plugin like Remove Dashboard Access or Controlled Admin Access is recommended. For advanced security, consider IP restrictions and two-factor authentication.