How To Prevent “Normal Users” From Accessing /wp-admin/

For some installations of WordPress you might want to prevent “normal users” (non-admins) from getting access to the /wp-admin/ directory… For example in a BuddyPress or BuddyBoss installation.

There’s no reason for them to be there, and so for added security, it’s best not to give them access.

But how do you do it?

Well, thankfully it’s pretty easy & I came up with this function today which you just need to add to your themes functions.php file:

// Function to redirect normal users away from default profile pages
// (changed from admin_head to admin_init for redirect to work)
// (added ajax load check to prevent it from breaking activity feeds)
if (!is_super_admin()) {
function redirect_default_profile_pages() {
if(!isset($_SERVER['HTTP_X_REQUESTED_WITH']) || (!$_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')) {
header("Location: /");
add_action( 'admin_init', 'redirect_default_profile_pages', 15 );

The function will only be run if the user isn’t a super admin, and it’ll simply redirect them away from any admin pages back to the root of your website.

Now, there are a couple of other similar snippets on the web which will do the trick as well – but none of them also cater for AJAX requests like mine does above.

You see, plugins like BuddyBoss/BuddyBoss need user-level access to admin pages to pull the activity data for the feeds… So if you added one of the other available snippets in, then your feeds would all stop working.

My code above checks if the admin page is being requested via an AJAX call & if it is, it allows it to prevent the feeds from breaking.

Simple enough.

Leave a Comment