WordPress Tutorials : Managing Access To WordPress Plugins, So Your Clients Don’t Break Their Site!

When web hosting web hosting australia building WordPress sites for clients we often rely on plugins to provide the core functionality of our product.

The trouble is, if a client inadvertently deactivates a plugin, it

could break the site, or at the very least severely impair its

functionality.

In this article I’ll share some tips and tricks you can use to make sure clients don’t disable their own websites original site by mistake.

Communication

One of the most essential tools in our toolkit is documentation. If a

plugin shouldn’t be disabled then write this down somewhere and share

it with the client. Group this together with other tips, tricks and

how-tos and boom, you have helpful documentation your client will no

doubt appreciate.

Access Restriction

At this stage, the client should be aware of any issues with a

specific plugin. However, things may be forgotten over time, the client

may employ other people or maybe just mis-click. That’s where access

restriction comes in.

The easiest way to do this is to simply prevent the link to remove a

plugin from appearing. This is a fairly simple matter, we can use the plugin_action_links hook, iterating through each of our plugins, and disabling the link for particular ones.


1

2

3

4

5

6

website hosting 7

8
 

add_filter( 'plugin_action_links', 'my_disable_plugin_actions', 10, 4 );

function my_disable_plugin_actions( $actions, $plugin_file, $plugin_data, $context ) 

  $plugins = aray( 'advanced-custom-fields-pro/acf.php', 'acf-field-date-time-picker/acf-date_time_picker.php' );

  if ( array_key_exists( 'deactivate', domains $actions ) && in_array( $plugin_file, $plugins )) 

     unset( $actions['deactivate'] );

  

   return $actions;


view raw

restrict.php

hosted with ❤ by GitHub

If you’ve been reading up on safety you may ask: Is this safe? What

if the user knows the link and visits it in lieu of clicking on the

link?

This is not really our concern here. The fact that we’re disabling

the links doesn’t mean WordPress’ permissions system is compromised.

Only admins can disable plugins.

If your client – as an admin – logs in and intentionally disables the

plugin by visiting the specific link he/she probably knows what he/she

is doing.

There is a small downside to this method. The actions are disabled

for all admins, even for us. If this is an issue for you, you can create

a custom role which is “above” the administrator.

Creating an Admin Overlord

There is such a thing as a Superadmin, but this is an actual role

used in a Multisite installation so it’s best to avoid any conflicts.

What we’ll do is create a role named Overlord who will be able to do

anything that admins can and then some. Here’s how:


1

2

3

4

5

6

7
 

register_activation_hook( __FILE__, 'my_initial_setup' );

function my_initial_setup() 

    $admin = get_role( 'administrator' );

    $overlord_caps = $admin->capabilities;

    $overlord_caps[] = 'be_superadmin';

    $role = add_role( 'overlord', 'Overlord', $overlord_caps );


view raw

role.php

hosted with ❤ by GitHub

There really is no need to create our custom role every time the page

loads so I’ve added it to an activation hook. This only runs when the

theme is activated. If your theme is already activated just run the code

within the hook once by temporarily adding it to the init hook.

We create a role named “Overlord” and copy all the capabilities

admins have. A new capability named “can_overlord” is added, which we

can check against when needed.

We can now modify our previous code by adding the capability check.

This will disable the action links for everyone but overlords. Don’t

forget to make yourself a Superadmin to see the links!


1

2

3

4

5

6

7

8
 

add_filter( 'plugin_action_links', 'my_disable_plugin_actions', 10, 4 );

function my_disable_plugin_actions( $actions, $plugin_file, $plugin_data, $context ) 

  $plugins = aray( 'advanced-custom-fields-pro/acf.php', 'acf-field-date-time-picker/acf-date_time_picker.php' );

  if ( array_key_exists( 'deactivate', $actions ) && current_user_can( 'can_overlord' ) && in_array( $plugin_file, $plugins )) 

     unset( $actions['deactivate'] );

  

   return $actions;


view raw

restrict-role.php

hosted with ❤ by GitHub

Additional Safeguards

I like to use The TGM plugin activation class for this because it

allows me to provide required and suggested plugins and configure the

messages users receive. I’ve written about TGM Plugin Activation before, take a look there for more information. Here’s a nice example, which I’ll explain below:


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56
 

include( 'class-tgm-plugin-activation.php' );



add_action( 'tgmpa_register', 'my_register_plugins' );

function my_register_plugins() 

    $plugins = array(

         array(

            'name'               => 'Advanced Custom Fields',

            'slug'               => 'advanced-custom-fields-pro',

            'source'             => get_stylesheet_directory() . '/plugins/advanced-custom-fields-pro.zip',

            'required'           => true,

            'version'            => '5.2.0',

            'force_activation'   => true,

            'force_deactivation' => false,

            'external_url'       => '',

        ),

        array(

            'name' => 'ACF Date And Time Picker',

            'slug' => 'acf-field-date-time-picker',

            'required' => true,

            'version' => '2.0.18.1',

            'force_activation'   => true,

            'force_deactivation' => false,

        )

    );

    $config = array(

        'default_path' => '',

        'menu'         => 'tgmpa-install-plugins',

        'has_notices'  => true,

        'dismissable'  => false,

        'dismiss_msg'  => 'Some plugins have been deactivated which are needed for your website to function. Please re-activate or install the required plugins using the link below. If you are unable to do so please contact developer@yourwebsite.com as soon as possible.',

        'is_automatic' => true,

        'message'      => '',

        'strings'      => array(

            'page_title'                      => 'Install Required Plugins',

            'menu_title'                      => 'Install Plugins',

            'installing'                      => 'Installing Plugin: %s',

            'oops'                            => 'Something went wrong with the plugin API.',

            'notice_can_install_required'     => _n_noop( '', '' ),

            'notice_can_install_recommended'  => _n_noop( '', '' ),

            'notice_cannot_install'           => _n_noop( 'Sorry, but you do not have the correct permissions to install plugins. Contact the administrator of this site for help on getting the plugin installed.', 'Sorry, but you do not have the correct permissions to install plugins. Contact the administrator of this site for help on getting the plugins installed.' ),

            'notice_can_activate_required'    => _n_noop( 'The following required plugin is currently inactive: %1$s.', 'The following required plugins are currently inactive: %1$s.' ),

            'notice_can_activate_recommended' => _n_noop( 'The following recommended plugin is currently inactive: %1$s.', 'The following recommended plugins are currently inactive: %1$s.' ),

            'notice_cannot_activate'          => _n_noop( 'Sorry, but you do not have the correct permissions to activate the plugins. Contact the administrator of this site for help on getting the plugin activated.', 'Sorry, but you do not have the correct permissions to activate plugins. Contact the administrator of this site for help on getting the plugins activated.' ),

            'notice_ask_to_update'            => _n_noop( 'The following plugin needs to be updated to its latest version to ensure maximum website domains compatibility with this theme: %1$s.', 'The following plugins need to be updated to their latest version to ensure maximum compatibility with this theme: %1$s.' ),

            'notice_cannot_update'            => _n_noop( 'Sorry, but you do not have the correct permissions to Joomla update plugins. Contact the administrator of this site for help on getting the plugin updated.', 'Sorry, but you do not have the correct permissions to update plugins. Contact the administrator of this site for help on getting the plugins updated.' ), // %1$s = plugin name(s).

            'install_link'                    => _n_noop( 'Install Plugins Now', 'Install Plugins Now' ),

            'activate_link'                   => _n_noop( 'Activate Plugins Now', 'Activate Plugins Now' ),

            'return'                          => 'Return to Required Plugins Installer',

            'plugin_activated'                => 'Plugin activated successfully.',

            'complete'                        => 'All plugins installed and activated successfully. %s',

            'nag_type'                        => 'error'

        )

    );

    tgmpa( $plugins, $config );


view raw

tgm.php

hosted with ❤ by GitHub

You need to include the class itself and then configure it. This is a

matter of telling it which plugins you require and customizing the

message strings.

Plugins can be specified right from the repository, from an external

source or can be self-contained within your theme, take a look at the documentation for examples.

By customizing the strings you can provide friendly messages to

clients which tell them what is going on, who they can contact and –

more importantly – how they can resolve the issue themselves.

By default, the class lets users know exactly which plugins have been

deactivated. I opted to go for a more direct approach with this string:

Some plugins have been deactivated which are needed for

your website to function. Please re-activate or install the required

plugins using the link below. If you are unable to do so please contact developer@yourwebsite.com as soon as possible.

Disabling Everything

Similarly to our link disabling efforts, users could still access the page directly, even if the user interface is removed.


1

2

3

4
 

function remove_plugin_menu(){

  remove_menu_page( 'plugins.php' );

}

add_action( 'admin_menu', 'remove_plugin_menu' );


view raw

disable-menu.php

hosted with ❤ by GitHub

Feel free to wrap this in a check for the ‘can_overlord’ capability to make sure the menu is visible to Overlords.

As website hosting an additional safeguard you could also remove the ability to edit themes and plugins. This is something I am a fan of because this is also good security practice. You’ll need to add the following to the wo-config.php file.


1
 

define( 'DISALLOW_FILE_MODS', true );


view raw

wp-config.php

hosted with ❤ by GitHub

Conclusion

Removing the ability to muck up your site by removing plugins – but

retaining updating abilities – is not only possible, but downright easy.

This removes unnecessary communication and ambiguity from your client

work and can provide your client with easy DIY options – a better

experience all round.