Remove Dashboard Access

The easiest and safest way to restrict access to your WordPress site’s Dashboard and administrative menus. Remove Dashboard Access is a lightweight plugin that automatically redirects users who shouldn’t have access to the Dashboard to a custom URL of your choosing. Redirects can also be configured on a per-role/per-capability basis, allowing you to keep certain users out of the Dashboard, while retaining access for others.

• Limit Dashboard access to user roles:
  • Admins only
  • Admins + editors
  • Admins, editors, and authors
  • or restrict by specific user capability
• Choose your own redirect URL
• Optionally allow users to edit their profiles
• Display a message on the login screen so users know why they’re being redirected
• Allow specific admin pages through the redirect — paste a list of URLs your customers should still be able to reach (with wildcard support for grouping related pages)
• Optionally extend the block to admin-ajax.php requests for stricter lockdown

Blocking access to the Dashboard is a great way to prevent clients from breaking their sites, prevent users from seeing things they shouldn’t, and to keep your site’s backend more secure.

Allow only users with roles or capabilities:

You can restrict Dashboard access to Admins only, Editors or above, Authors or above, or by selecting a specific user capability.

Grant access to user profiles:

Optionally allow all users the ability to edit their profiles in the Dashboard. Users lacking the chosen capability won’t be able to access any other sections of the Dashboard.

Show a custom login message:

• Supply a message to display on the login screen. Leaving this blank disables the message.

Allow specific admin pages through the redirect:

Sometimes you want to lock down the Dashboard but still let your customers reach one or two specific admin pages — a payment confirmation, a TrustedLogin secret-share screen, a custom report. Paste those URLs into the Allowed URLs box (one per line, relative or absolute), and matching requests will skip the redirect.

Use * as a wildcard inside a query value to match a whole group of pages at once. For example, ?page=tl-* allows tl-secrets, tl-config, and any other page whose slug starts with tl-.

Optionally block AJAX requests too:

By default this plugin doesn’t touch requests to admin-ajax.php — most WordPress sites rely on those for legitimate frontend AJAX. If you’d rather the dashboard restriction apply there as well, turn on the “Also block AJAX” checkbox in the Advanced section of the settings page.

Download from WordPress.org:

Latest version: https://downloads.wordpress.org/plugin/remove-dashboard-access-for-non-admins.1.3.1.zip

Changelog

1.3.1 on May 22, 2026

🐛 Fixed

• admin-post.php is now reachable as the 1.2.2 release notes promised. It had been quietly blocked despite the documentation saying it should be exempt.
• Two-step admin flows on allow-listed pages — like Wordfence Login Security’s 2FA OTP step — no longer get rejected just because the request carries extra query parameters.
• Translations from translate.wordpress.org will now actually load on your site. The plugin’s text domain didn’t match the WordPress.org slug, so community-submitted translations (including zh_TW) were silently being dropped. Thanks to Alex Lion (阿力獅) (@alexclassroom) for surfacing this and contributing the fix.
• A handful of strings that weren’t translatable before — most notably the screen-reader hint on the Login Message link — are now translatable.
• The uninstall script only runs when WordPress is actually uninstalling the plugin, not on stray requests to its file.

1.3.0 on May 22, 2026

🚀 Added

• Allowed URLs — A new textarea on the Dashboard Access settings page where you can paste any URLs that should skip the dashboard redirect, one per line. Useful for letting customers reach a specific admin page (like a payment confirmation or a TrustedLogin secret-share screen) without giving them the rest of the dashboard.
• Wildcards in Allowed URLs — Use * inside a query value to match a group of pages at once. For example, ?page=tl-* lets through tl-secrets, tl-config, and any other page slug that starts with tl-.
• Also block AJAX — A new checkbox in the Advanced section to extend the dashboard restriction to admin-ajax.php requests too. Most sites should leave this off; turn it on only if you know your AJAX endpoints rely on this plugin to keep them gated.
• Advanced section — The settings page now has two clear groups: the everyday Dashboard Access Controls at the top, and an Advanced section below for AJAX blocking and the Allowed URLs list. Easier to scan, less intimidating for new users.

✨ Improved

• The settings page now validates the capability values you save. A typo, empty value, or unknown capability can no longer be saved and silently disable the dashboard restriction.
• The disallowed-user redirect uses WordPress’s safer wp_safe_redirect(). Your configured redirect URL still works, including external destinations — but accidental redirects to other hosts are now blocked.
• When you add an admin.php?page=… entry to the allow-list, the plugin now confirms the page is actually registered by another plugin before letting visitors through.

💻 Developer Updates

• Text domain renamed from remove_dashboard_access to remove-dashboard-access-for-non-admins to match the WordPress.org slug. If you maintain custom .po/.mo files in /languages/, rename them to use the new domain.
• New rda_strict_ajax filter mirrors the “Also block AJAX” setting for code-level control on a per-site basis.
• The existing rda_allowlist filter still works; entries now support * wildcards inside query values.
• New unit test suite using @wordpress/scripts + wp-env + PHPUnit. Run locally with npm test.

1.2.2 on May 22, 2025

• Fixed: Compatibility with WordPress 6.8 _load_textdomain_just_in_time warning
• Fixed: The plugin prevented admin-post.php from being accessible, which broke some expected functionality (thanks @brambil)

1.2.1 on November 29, 2024

• Fixed: Compatibility with WordPress 6.7 (there was a warning that translations were being loaded too soon)
• Tweak: Sanitized admin menu URL

1.2 on January 29, 2024

• Confirmed compatibility with WordPress 6.4.2
• New: Added a new filter, rda_allowlist, to configure pages that should be accessible to all users, regardless of their capabilities or roles (see FAQ for usage)
• Improved: Added a description that clarifies that the Login Message is only displayed on the WordPress “Log In” screen
• Improved: The User Profile Access text is now a proper label for the checkbox
• Fixed: Allow access to the Wordfence 2FA configuration page (#33)
• Fixed: Text domain not properly set for translations (thanks @fierevere)
• Tweak: Prevent directly accessing PHP files by checking for ABSPATH (#26)
• Tweak: Prevent browsing directories on poorly-configured servers by adding index.php files in plugin directories

1.1.4 & 1.1.5 on April 18, 2022

• Fixed: Deactivating and activating the plugin will no longer overwrite plugin settings
• Fixed: Deprecated function screen_icon() warning
• Fixed: Issue when front-end editing of profiles when the $pagenow global is not defined (#24)
• Fixed: Potential Invalid argument supplied for foreach() PHP warning (#22)

1.1.3

• Fixed a compatibility issue with bbPress and the media grid view.

1.1.2

• Bump tested-up-to to 4.1.0
• Miscellaneous readme changes.

1.1.1

• Move options back to Settings > Dashboard Access screen to resolve conflict with page_on_front UI.

1.1

• Instantiate as a static instance for better modularity
• Move Dashboard Access Controls settings to Settings > Dashboard Access
• Add optional login message option
• Add better settings sanitization
• New Filter: rda_default_caps_for_role – Filter default roles for Admins, Editors, and Authors
• New Debug Mode

Bug Fixes:

• Remove unnecessarily stringent URL mask on the redirect URL option

1.0

• Complete rewrite!
• New: Limit dashboard access for Admins only or by capability
• New: Allow/disallow edit-profile access
• New: Choose your own redirect URL
• New Filter: rda_default_access_cap – Change default access capability
• New Filter: rda_toolbar_nodes – Filter which back-end Toolbar nodes are hidden
• New Filter: rda_frontend_toolbar_nodes – Filter which front-end Toolbar nodes are hidden

0.4

• Refined DOING_AJAX check for logged-out users, props @nacin and @BoiteAWeb

0.3

• Changed cap to manage_options, replaced PHP_SELF with DOING_AJAX

0.2

• Replaced preg_match with admin-ajax test. Added compatibility with rewritten dashboard URLs.

0.1

• Submitted to repository