描述
Limited Admin Role adds a custom WordPress role called Admin Panel Manager that gives a user broad content and product management access — but blocks access to WooCommerce Orders, Customers, Users, and sensitive reports.
Key Features:
- 🔐 Granular capability grid — enable or disable every WordPress & WooCommerce capability from the settings UI, organized into 15 categories
- 🚫 Block WooCommerce Orders, Customers, Analytics, and WordPress Users (menu + URL + REST API)
- 🧩 Plugin Access Deny — per-plugin admin page blocking via a dedicated submenu
- 🔑 Plugins view-only — can see installed plugins list but cannot install/activate/deactivate/update/delete
- 🕐 Configurable session timeout (default 12 hours) — forces logout regardless of “Remember Me”
- ✅ Compatible with Rank Math, Yoast SEO, WooCommerce HPOS, and Cloudflare
Capability Categories:
- Core Access, Posts, Pages, Media, Appearance & Themes
- Plugins, Users, WordPress Updates
- WooCommerce Products, Orders, Coupons, Reports & Analytics, Settings, Customers
- Comments
License
This plugin is licensed under the GNU General Public License v2.0 or later.
Full license text: https://www.gnu.org/licenses/gpl-2.0.html
安装
- Upload the
limited-admin-rolefolder to/wp-content/plugins/or install via Plugins Add New Upload Plugin. - Activate the plugin through the Plugins menu.
- The Admin Panel Manager role is created automatically on activation.
- Configure settings at Limited Admin Role in the WordPress admin sidebar.
- Assign the role to users via Users Add New or Users Edit User Role.
常见问题
-
How do I assign the role to a user?
-
Go to Users Add New and set the Role dropdown to Admin Panel Manager. Or edit an existing user and change their role.
-
Can I change which capabilities are granted?
-
Yes. Go to Limited Admin Role Settings Capabilities tab. Every capability is listed with a checkbox — check to grant, uncheck to deny. Changes apply immediately on save.
-
How does the session timeout work?
-
On login, the plugin records a timestamp. On every admin page load, it checks if the elapsed time exceeds the configured limit (default: 12 hours). If so, the session is destroyed and the user is redirected to the login page with a “Session expired” message. The auth cookie is also clamped so “Remember Me” cannot extend beyond the limit.
-
Can the user install or activate plugins?
-
No. Plugin installation, activation, deactivation, update, and deletion are always blocked. The user can view the installed plugins list (read-only). You can toggle even view access from the Capabilities tab (activate_plugins cap).
-
How does Plugin Access Deny work?
-
Go to Limited Admin Role Plugin Access Deny. Every active plugin and its detected admin pages are listed. Check any pages to block them for the Admin Panel Manager role.
-
Is it compatible with WooCommerce HPOS?
-
Yes. Both the legacy
post_type=shop_orderURL and the new HPOSpage=wc-ordersURL are blocked. -
Does it work with Rank Math and Yoast SEO?
-
Yes. Both plugins show their meta boxes to any user with
edit_postscapability, which this role has by default.
评价
此插件暂无评价。
贡献者及开发者
更新日志
2.3.0
- Fixed: Rank Math REST API calls (/wp-json/rankmath/v1/updateSettings) returning 403 — SEO plugin REST routes are now always whitelisted
- Fixed: manage_options is temporarily elevated during any SEO plugin REST request so save/update operations work correctly
- Improved: Capabilities tab now shows SEO plugin sections only when that plugin is actually installed — each setting as its own row, all defaulting to enabled
- Improved: Rank Math redirections, 404 monitor, analytics, site analysis — all individually controllable per row
- Improved: Yoast and AIOSEO caps similarly separated with all defaults on
2.2.0
- Fixed: Replaced inline <style> echo in access control with wp_add_inline_style() (WordPress.org requirement)
- Fixed: Replaced inline <style> and <script> in Plugin Access Deny page with wp_add_inline_style() and wp_add_inline_script() (WordPress.org requirement)
- Improved: Plugin Access Deny now uses explicit slug patterns for Rank Math, Yoast, AIOSEO, WooCommerce and other major plugins — all their admin pages reliably appear in the deny list
- Added: Author URI field in plugin header
- Updated: Contributors field in readme.txt
2.1.0
- Fixed: SEO plugins (Rank Math, Rank Math Pro, Yoast SEO, Yoast Premium, AIOSEO, AIOSEO Pro) now fully unrestricted — all caps pass through freely
- Added: SEO Plugins capability category with 15 caps across all supported plugins
- Added: Auto-detection of active SEO plugins shown on General tab
- Fixed: WordPress.Security.EscapeOutput errors (escaped $found with wp_kses, $bg with esc_attr)
2.0.0
- Added full capabilities registry with 15 categorized sections
- Added per-capability checkbox grid in settings UI
- Added Plugin Access Deny submenu for per-plugin admin page blocking
- Added Grant All / Deny All per category, search/filter, Restore Defaults
- Added toggle switches for quick access blocks
- Added unsaved-changes warning in settings
- Rebuilt settings page with tabbed UI
- All v1 features preserved
1.1.0
- Added plugin view-only mode (can see installed plugins list, all actions blocked)
- Added CSS hiding of plugin action links and bulk-action controls
- Removed Plugins menu from sidebar (now kept visible as read-only)
1.0.0
- Initial release
- Custom Admin Panel Manager role
- WooCommerce Orders, Customers, Users, Reports blocking
- 12-hour session timeout with configurable settings page
- REST API blocking for orders, customers, users
- Compatible with Rank Math, Yoast SEO, WooCommerce HPOS