Advanced WordPress Customization: Restricting User Access, Hiding Admin Features, and Securing Your Website
WordPress is the world’s most popular content management system (CMS), powering millions of websites across the globe. One of the main reasons behind its popularity is the ability to customize user roles, permissions, and the admin dashboard. By tweaking user access and restricting unnecessary features, you can create a more secure, streamlined, and professional experience for both administrators and contributors.
In this article, we will go through a practical example of WordPress customization code that modifies the way users interact with the WordPress admin dashboard. We will explain the functions step by step, why they are necessary, and how they improve both security and usability.
If you’re running a multi-author blog, a membership website, or any platform where different users log in with different roles, this guide will help you take control of user permissions and enhance security.
Why Do We Need to Restrict User Access in WordPress?
By default, WordPress assigns certain capabilities to each role:
- Administrator: Full control over the site
- Editor: Can publish and manage posts by all users
- Author: Can publish and manage their own posts
- Contributor: Can write and edit their own posts but cannot publish
- Subscriber: Can only manage their profile
While this system is functional, in practice, it is not strict enough for many websites. Authors might see other users’ posts, contributors might attempt to access admin features they don’t need, and subscribers could get confused by the WordPress admin bar.
Moreover, if you’re using page builders like Elementor, some roles might gain access to sensitive templates that they shouldn’t be allowed to edit.
The code we are about to explore solves these problems by:
- Hiding unnecessary features for subscribers
- Restricting publishing rights to administrators and editors only
- Preventing non-admins from editing administrator posts
- Customizing the admin color scheme for better UX
- Restricting access to Elementor templates
- Controlling media library visibility
You can put these codes in your theme’s functions.php file or, better, create a custom plugin so it stays safe during theme updates
Step-by-Step Breakdown of the Custom Code
Let’s now go through each function included in the customization script and understand what it does.
1. Custom Login Logo
function custom_login_logo_url() {
return 'https://www.shivapaswan.com.np'; // Redirect to your site
}
add_filter('login_headerurl', 'custom_login_logo_url');
function custom_login_logo() {
?>
<style type="text/css">
/* Change the login logo */
#login h1 a {
background-image: url('wp-content/uploads/2025/01/Shiva_Blog_Logo.png');
width: 320px; /* Adjust the width of the logo */
height: 80px; /* Adjust the height of the logo */
background-size: contain;
background-repeat: no-repeat;
margin-bottom: 20px;
}
</style>
<?php
}
add_action('login_enqueue_scripts', 'custom_login_logo');
This snippet is used to load a custom logo on the WordPress login page. By default, WordPress shows its own logo, but replacing it with your brand logo creates a more professional experience for your users.
To complete this function, you would add CSS inside custom_login_logo() to load your logo.
2. Hide Admin Bar for Subscribers
function hide_admin_bar_for_subscribers(){
if(current_user_can('subscriber')){
add_filter('show_admin_bar','__return_false');
}
}
add_action('init','hide_admin_bar_for_subscribers');
The WordPress admin bar (top black bar) is unnecessary for subscribers. This code removes the admin bar for all users who only have the subscriber role, making their experience cleaner and preventing confusion.
3. Remove WordPress Logo from Admin Bar
function remove_wp_logo_from_admin_bar($wp_admin_bar){
$wp_admin_bar->remove_node('wp-logo');
}
add_action('admin_bar_menu','remove_wp_logo_from_admin_bar',999);
The default WordPress logo in the admin bar is a link to WordPress.org resources. Many site owners prefer to remove this logo to keep the admin area clean and fully branded.
4. Restrict Publishing Permissions
function restrict_publish_permissions(){
$roles=['author','contributor'];
foreach($roles as $role_name){
$role=get_role($role_name);
if($role){
$role->remove_cap('publish_posts');
}
}
$roles=['editor','administrator'];
foreach($roles as $role_name){
$role=get_role($role_name);
if($role){
$role->add_cap('publish_posts');
}
}
}
add_action('init','restrict_publish_permissions');
This function removes publishing rights from authors and contributors. Instead, only editors and administrators can publish posts.
- Authors/Contributors → Can write drafts only
- Editors/Admins → Can review and publish
This is especially useful for websites that need editorial review before content goes live.
5. Show Only User’s Own Posts
function filter_user_posts_only($query){
if(is_admin()&&$query->is_main_query()&¤t_user_can('author')){
$query->set('author',get_current_user_id());
}
}
add_action('pre_get_posts','filter_user_posts_only');
This function ensures that authors only see their own posts in the WordPress admin dashboard. Without this, authors can see drafts or posts written by others, even if they can’t edit them.
6. Custom Post Count Filter
function custom_filter_post_counts($counts,$type,$perm){
if(is_admin()&&!current_user_can('edit_others_posts')){
global $wpdb;
$user_id=get_current_user_id();
$query=$wpdb->prepare("SELECT post_status,COUNT(*) as num_posts
FROM {$wpdb->posts}
WHERE post_type=%s AND post_author=%d
GROUP BY post_status",$type,$user_id);
$results=$wpdb->get_results($query,ARRAY_A);
$valid_statuses=['publish','draft','pending','private','trash'];
$filtered_counts=array_fill_keys($valid_statuses,0);
foreach($results as $row){
if(isset($row['post_status'])&&isset($row['num_posts'])){
$filtered_counts[$row['post_status']]=(int)$row['num_posts'];
}
}
return (object)$filtered_counts;
}
return $counts;
}
add_filter('wp_count_posts','custom_filter_post_counts',10,3);
Normally, the post count widget in the dashboard shows total posts across all users. This function customizes it so that users only see the counts for their own posts, not others.
7. Restrict Post Views for Specific Roles
function restrict_user_posts_view($query){
if(is_admin()&&$query->is_main_query()){
if(current_user_can('manage_options')){return;}
$allowed_roles=['author','contributor','content_writer'];
foreach($allowed_roles as $role){
if(current_user_can($role)){
$query->set('author',get_current_user_id());
return;
}
}
}
}
add_action('pre_get_posts','restrict_user_posts_view');
This expands restrictions to additional roles such as content_writer. Only administrators can see all posts, while others only see their own.
8. Restrict Access to Admin Posts
function restrict_admin_posts_from_users($query){
if(is_admin()&&$query->is_main_query()&&!current_user_can('manage_options')){
$admin_ids=get_users(['role'=>'administrator','fields'=>'ID']);
if(!empty($admin_ids)){
$query->set('author__not_in',$admin_ids);
}
}
}
add_action('pre_get_posts','restrict_admin_posts_from_users');
This prevents non-admins from even viewing posts created by administrators.
9. Prevent Editing Administrator Posts
function prevent_editing_admin_posts($caps,$cap,$user_id,$args){
if(in_array($cap,['edit_post','delete_post','edit_others_posts'])){
$post=get_post($args[0]);
if($post&&user_can($user_id,'manage_options')){return $caps;}
if($post&&user_can($post->post_author,'manage_options')){return $caps;}
return array_diff($caps,['edit_post']);
}
return $caps;
}
add_filter('user_has_cap','prevent_editing_admin_posts',10,4);
This makes sure no one can edit or delete posts written by administrators except administrators themselves.
10. Restrict Media Library Access
function restrict_admin_media_library($wp_query) {
if (is_admin() && $wp_query->is_main_query() && !current_user_can('manage_options')) {
$admin_ids = get_users(['role' => 'administrator', 'fields' => 'ID']);
if (!empty($admin_ids)) {
$wp_query->set('author__not_in', $admin_ids);
}
}
}
add_action('pre_get_posts', 'restrict_admin_media_library');
This restricts non-admins from seeing media uploaded by administrators.
11. Restrict Elementor Templates Access
function restrict_elementor_templates_access($caps, $cap, $user_id, $args) {
$restricted_roles = ['editor', 'author', 'contributor'];
$user = get_userdata($user_id);
if ($user && array_intersect($restricted_roles, $user->roles)) {
if ($cap == 'edit_elementor_library') {
return ['do_not_allow'];
}
}
return $caps;
}
add_filter('map_meta_cap', 'restrict_elementor_templates_access', 10, 4);
If you are using Elementor, this ensures that only administrators can edit templates, preventing editors or authors from modifying critical design elements.
12. Force Admin Color Scheme
function force_admin_color_scheme() {
if (!current_user_can('manage_options')) {
remove_action('admin_color_scheme_picker', 'admin_color_scheme_picker');
$user_id = get_current_user_id();
update_user_meta($user_id, 'admin_color', 'midnight');
}
}
add_action('admin_init', 'force_admin_color_scheme');
This forces all non-admins to use a specific admin color scheme (in this case, “Midnight”). It improves consistency and branding across the admin interface.
13. Hide Media Library from Non-Admins
function hide_media_library_from_users($query) {
if (!current_user_can('manage_options')) {
$query['author'] = get_current_user_id();
}
return $query;
}
add_filter('ajax_query_attachments_args', 'hide_media_library_from_users');
When users try to insert images into posts, this code ensures they only see their own uploaded media files.
14. Remove Website Field from Comments
function remove_comment_fields($fields) {
if (isset($fields['url'])) {
unset($fields['url']);
}
return $fields;
}
add_filter('comment_form_default_fields', 'remove_comment_fields');
The “Website” field in WordPress comments is often exploited by spammers. Removing it makes your comment section cleaner and reduces spam.
Security Benefits of These Customizations
- Protects administrator content from being edited by lower roles
- Minimizes spam by removing the website field in comments
- Prevents accidental publishing by contributors or authors
- Reduces clutter in the admin dashboard
- Improves branding with custom login and color schemes
Best Practices and Improvements
- Always test changes on a staging site before applying to live.
- Use a child theme or a custom plugin for these snippets, so they are not lost during theme updates.
- Keep user roles simple and avoid assigning unnecessary permissions.
- Monitor your site’s activity logs to track any unauthorized access attempts.
Example
Customizing WordPress roles, permissions, and the admin experience is one of the most effective ways to secure your website and improve usability for your users.
The code we reviewed hides unnecessary features, restricts sensitive content, and enforces editorial control, making your WordPress site safer, cleaner, and more professional.
If you are running a multi-author blog, business website, or educational portal, these tweaks will save you from errors, spam, and security risks.
By combining role management, dashboard cleanup, and media restrictions, you can transform WordPress into a tailored CMS that perfectly fits your needs.
Best Practices
- Use these snippets in a custom plugin or child theme.
- Test on a staging site before applying to live site.
- Use SEO plugins (Yoast, Rank Math) for optimization.
- Combine with a security plugin (Wordfence, iThemes Security).
- Regularly update WordPress, themes, and plugins.
Frequently Asked Questions (FAQ)
1. Can I apply this code to all WordPress sites?
Yes, but always test first. Some plugins may conflict.
2. Will this code slow down my website?
No, these are lightweight PHP functions.
3. Can I allow only certain users to access Elementor templates?
Yes, you can modify the roles inside the code to suit your needs.
4. Is it safe to edit functions.php?
Yes, but better practice is to create a custom plugin for these tweaks.
5. Can I hide other admin menu items?
Yes, using remove_menu_page() you can hide unnecessary menus.