WordPress Admin Menu
If you are able to dig into WordPress code, you will notice that their menu is created by a single function using two global variables as parameter. You can easily find this code located at wp-admin/menu-header.php, line 157-158.
view source
print?
1 _wp_menu_output( $menu, $submenu );
2 do_action( ‘adminmenu’ );
From the look of the method, you would have easily guess that this method is also a global method which takes in global variables $menu and $submenu to construct a full flag admin menu in WordPress. However, this method is like a loop that takes in a variable and loop through whatever is contain in the variable given. Hence, we will have to look at how each global variable is built to determine how to properly remove a WordPress admin menu.
Global Variable – $menu
If you dig deeper into WordPress, you will notice that the global variable $menu and $submenu are located at wp-admin/menu.php, line 25 onwards. This two variables play an important part in our objective as they create and remove main and submenu in WordPress. If you look at the code from line 28-115, you will notice that both menu and submenu is constructed first regardless of permission.
view source
print?
01 $menu[0] = array( __(‘Dashboard’), ‘read’, ‘index.php’, ”, ‘menu-top’, ‘menu-dashboard’, ‘div’ );
02
03 $menu[4] = array( ”, ‘read’, ‘separator1’, ”, ‘wp-menu-separator’ );
04
05 $menu[5] = array( __(‘Posts’), ‘edit_posts’, ‘edit.php’, ”, ‘open-if-no-js menu-top’, ‘menu-posts’, ‘div’ );
06 $submenu[‘edit.php’][5] = array( __(‘Edit’), ‘edit_posts’, ‘edit.php’ );
07 /* translators: add new post */
08 $submenu[‘edit.php’][10] = array( _x(‘Add New’, ‘post’), ‘edit_posts’, ‘post-new.php’ );
09
10 $i = 15;
11 foreach ( $wp_taxonomies as $tax ) {
12 if ( $tax->hierarchical || ! in_array(‘post’, (array) $tax->object_type, true) )
13 continue;
14
15 $submenu[‘edit.php’][$i] = array( esc_attr($tax->label), ‘manage_categories’, ‘edit-tags.php?taxonomy=’ . $tax->name );
16 ++$i;
17 }
18
19 $submenu[‘edit.php’][50] = array( __(‘Categories’), ‘manage_categories’, ‘categories.php’ );
20
21 $menu[10] = array( __(‘Media’), ‘upload_files’, ‘upload.php’, ”, ‘menu-top’, ‘menu-media’, ‘div’ );
22 $submenu[‘upload.php’][5] = array( __(‘Library’), ‘upload_files’, ‘upload.php’);
23 /* translators: add new file */
24 $submenu[‘upload.php’][10] = array( _x(‘Add New’, ‘file’), ‘upload_files’, ‘media-new.php’);
25
26 $menu[15] = array( __(‘Links’), ‘manage_links’, ‘link-manager.php’, ”, ‘menu-top’, ‘menu-links’, ‘div’ );
27 $submenu[‘link-manager.php’][5] = array( __(‘Edit’), ‘manage_links’, ‘link-manager.php’ );
28 /* translators: add new links */
29 $submenu[‘link-manager.php’][10] = array( _x(‘Add New’, ‘links’), ‘manage_links’, ‘link-add.php’ );
30 $submenu[‘link-manager.php’][15] = array( __(‘Link Categories’), ‘manage_categories’, ‘edit-link-categories.php’ );
31
32 $menu[20] = array( __(‘Pages’), ‘edit_pages’, ‘edit-pages.php’, ”, ‘menu-top’, ‘menu-pages’, ‘div’ );
33 $submenu[‘edit-pages.php’][5] = array( __(‘Edit’), ‘edit_pages’, ‘edit-pages.php’ );
34 /* translators: add new page */
35 $submenu[‘edit-pages.php’][10] = array( _x(‘Add New’, ‘page’), ‘edit_pages’, ‘page-new.php’ );
36
37 $menu[25] = array( sprintf( __(‘Comments %s’), “” . number_format_i18n($awaiting_mod) . “” ), ‘edit_posts’, ‘edit-comments.php’, ”, ‘menu-top’, ‘menu-comments’, ‘div’ );
38
39 $_wp_last_object_menu = 25; // The index of the last top-level menu in the object menu group
40
41 $menu[59] = array( ”, ‘read’, ‘separator2’, ”, ‘wp-menu-separator’ );
42
43 $menu[60] = array( __(‘Appearance’), ‘switch_themes’, ‘themes.php’, ”, ‘menu-top’, ‘menu-appearance’, ‘div’ );
44 $submenu[‘themes.php’][5] = array(__(‘Themes’), ‘switch_themes’, ‘themes.php’);
45 $submenu[‘themes.php’][10] = array(__(‘Editor’), ‘edit_themes’, ‘theme-editor.php’);
46 $submenu[‘themes.php’][15] = array(__(‘Add New Themes’), ‘install_themes’, ‘theme-install.php’);
47
48 $update_plugins = get_transient( ‘update_plugins’ );
49 $update_count = 0;
50 if ( !empty($update_plugins->response) )
51 $update_count = count( $update_plugins->response );
52
53 $menu[65] = array( sprintf( __(‘Plugins %s’), “” . number_format_i18n($update_count) . “” ), ‘activate_plugins’, ‘plugins.php’, ”, ‘menu-top’, ‘menu-plugins’, ‘div’ );
54 $submenu[‘plugins.php’][5] = array( __(‘Installed’), ‘activate_plugins’, ‘plugins.php’ );
55 /* translators: add new plugin */
56 $submenu[‘plugins.php’][10] = array(_x(‘Add New’, ‘plugin’), ‘install_plugins’, ‘plugin-install.php’);
57 $submenu[‘plugins.php’][15] = array( __(‘Editor’), ‘edit_plugins’, ‘plugin-editor.php’ );
58
59 if ( current_user_can(‘edit_users’) )
60 $menu[70] = array( __(‘Users’), ‘edit_users’, ‘users.php’, ”, ‘menu-top’, ‘menu-users’, ‘div’ );
61 else
62 $menu[70] = array( __(‘Profile’), ‘read’, ‘profile.php’, ”, ‘menu-top’, ‘menu-users’, ‘div’ );
63
64 if ( current_user_can(‘edit_users’) ) {
65 $_wp_real_parent_file[‘profile.php’] = ‘users.php’; // Back-compat for plugins adding submenus to profile.php.
66 $submenu[‘users.php’][5] = array(__(‘Authors & Users’), ‘edit_users’, ‘users.php’);
67 $submenu[‘users.php’][10] = array(__(‘Add New’), ‘create_users’, ‘user-new.php’);
68 $submenu[‘users.php’][15] = array(__(‘Your Profile’), ‘read’, ‘profile.php’);
69 } else {
70 $_wp_real_parent_file[‘users.php’] = ‘profile.php’;
71 $submenu[‘profile.php’][5] = array(__(‘Your Profile’), ‘read’, ‘profile.php’);
72 }
73
74 $menu[75] = array( __(‘Tools’), ‘read’, ‘tools.php’, ”, ‘menu-top’, ‘menu-tools’, ‘div’ );
75 $submenu[‘tools.php’][5] = array( __(‘Tools’), ‘read’, ‘tools.php’ );
76 $submenu[‘tools.php’][10] = array( __(‘Import’), ‘import’, ‘import.php’ );
77 $submenu[‘tools.php’][15] = array( __(‘Export’), ‘import’, ‘export.php’ );
78 $submenu[‘tools.php’][20] = array( __(‘Upgrade’), ‘install_plugins’, ‘update-core.php’);
79
80 $menu[80] = array( __(‘Settings’), ‘manage_options’, ‘options-general.php’, ”, ‘menu-top’, ‘menu-settings’, ‘div’ );
81 $submenu[‘options-general.php’][10] = array(__(‘General’), ‘manage_options’, ‘options-general.php’);
82 $submenu[‘options-general.php’][15] = array(__(‘Writing’), ‘manage_options’, ‘options-writing.php’);
83 $submenu[‘options-general.php’][20] = array(__(‘Reading’), ‘manage_options’, ‘options-reading.php’);
84 $submenu[‘options-general.php’][25] = array(__(‘Discussion’), ‘manage_options’, ‘options-discussion.php’);
85 $submenu[‘options-general.php’][30] = array(__(‘Media’), ‘manage_options’, ‘options-media.php’);
86 $submenu[‘options-general.php’][35] = array(__(‘Privacy’), ‘manage_options’, ‘options-privacy.php’);
87 $submenu[‘options-general.php’][40] = array(__(‘Permalinks’), ‘manage_options’, ‘options-permalink.php’);
88 $submenu[‘options-general.php’][45] = array(__(‘Miscellaneous’), ‘manage_options’, ‘options-misc.php’);
Furthermore, its being done neat and nicely. After that a few loop is conducted to remove the menu and submenu according to the user permission. You can see that on line 152 – 209.
view source
print?
01 $_wp_submenu_nopriv = array();
02 $_wp_menu_nopriv = array();
03 // Loop over submenus and remove pages for which the user does not have privs.
04 foreach ( array( ‘submenu’ ) as $sub_loop ) {
05 foreach ($$sub_loop as $parent => $sub) {
06 foreach ($sub as $index => $data) {
07 if ( ! current_user_can($data[1]) ) {
08 unset(${$sub_loop}[$parent][$index]);
09 $_wp_submenu_nopriv[$parent][$data[2]] = true;
10 }
11 }
12
13 if ( empty(${$sub_loop}[$parent]) )
14 unset(${$sub_loop}[$parent]);
15 }
16 }
17
18 // Loop over the top-level menu.
19 // Menus for which the original parent is not acessible due to lack of privs will have the next
20 // submenu in line be assigned as the new menu parent.
21 foreach ( $menu as $id => $data ) {
22 if ( empty($submenu[$data[2]]) )
23 continue;
24 $subs = $submenu[$data[2]];
25 $first_sub = array_shift($subs);
26 $old_parent = $data[2];
27 $new_parent = $first_sub[2];
28 // If the first submenu is not the same as the assigned parent,
29 // make the first submenu the new parent.
30 if ( $new_parent != $old_parent ) {
31 $_wp_real_parent_file[$old_parent] = $new_parent;
32 $menu[$id][2] = $new_parent;
33
34 foreach ($submenu[$old_parent] as $index => $data) {
35 $submenu[$new_parent][$index] = $submenu[$old_parent][$index];
36 unset($submenu[$old_parent][$index]);
37 }
38 unset($submenu[$old_parent]);
39
40 if ( isset($_wp_submenu_nopriv[$old_parent]) )
41 $_wp_submenu_nopriv[$new_parent] = $_wp_submenu_nopriv[$old_parent];
42 }
43 }
44
45 do_action(‘admin_menu’, ”);
46
47 // Remove menus that have no accessible submenus and require privs that the user does not have.
48 // Run re-parent loop again.
49 foreach ( $menu as $id => $data ) {
50 // If submenu is empty…
51 if ( empty($submenu[$data[2]]) ) {
52 // And user doesn’t have privs, remove menu.
53 if ( ! current_user_can($data[1]) ) {
54 $_wp_menu_nopriv[$data[2]] = true;
55 unset($menu[$id]);
56 }
57 }
58 }
Now we have a basic understanding of how WordPress handle their admin menu according to user access. We are ready to remove or modify any user access to alter WordPress user capability to view a particular menu in WordPress.
Removing WordPress Admin Menu
After having you wasting your time reading all the way from the top to here, i finally getting back to track and write what this article is about. We understand from all the rubbish on top that the global variable $menu array contains all the top level menu item and the global variable $submenu array contains all submenu page of each top level menu item. We can perform a few methods to remove a WordPress Admin Menu. The first simple and very basic way of removing a WordPress admin menu is to unset the menu resist in the global array.
view source
print?
01 function remove_submenu() {
02 global $submenu;
03 //remove Theme editor
04 unset($submenu[‘themes.php’][10]);
05 }
06
07 function remove_menu() {
08 global $menu;
09 //remove post top level menu
10 unset($menu[5]);
11 }
12 add_action(‘admin_head’, ‘remove_menu’);
13 add_action(‘admin_head’, ‘remove_submenu’);
We can remove a set of admin menu by doing this.
view source
print?
01 function remove_menus () {
02 global $menu;
03 $restricted = array(__(‘Dashboard’), __(‘Posts’), __(‘Media’), __(‘Links’), __(‘Pages’), __(‘Appearance’), __(‘Tools’), __(‘Users’), __(‘Settings’), __(‘Comments’), __(‘Plugins’));
04 end ($menu);
05 while (prev($menu)){
06 $value = explode(‘ ‘,$menu[key($menu)][0]);
07 if(in_array($value[0] != NULL?$value[0]:”” , $restricted)){unset($menu[key($menu)]);}
08 }
09 }
10 add_action(‘admin_menu’, ‘remove_menus’);
The above code can be further reduce by 4 lines but i will keep it as it is.
This is pretty simple but not all user have these access and you might want to do some checking before accessing an invalid array to be unset which might give an error to be display. Although this is simple and the objective is achieve by removing the display of the menu/submenu, the user will still be able to direct access via the url. Hence, we need something better. Something that will disable all admin menu and sub menu tab from accessing and viewing.
view source
print?
01 function remove_menus () {
02 global $menu, $submenu, $user_ID;
03 $the_user = new WP_User($user_ID);
04 $valid_page = “admin.php?page=contact-form-7/admin/admin.php”;
05 $restricted = array(‘index.php’,’edit.php’,’categories.php’,’upload.php’,’link-manager.php’,’edit-pages.php’,’edit-comments.php’, ‘themes.php’, ‘plugins.php’, ‘users.php’, ‘profile.php’, ‘tools.php’, ‘options-general.php’);
06 $restricted_str = ‘widgets.php’;
07 end ($menu);
08 while (prev($menu)){
09 $menu_item = $menu[key($menu)];
10 $restricted_str .= ‘|’.$menu_item[2];
11 if(in_array($menu_item[2] , $restricted)){
12 $submenu_item = $submenu[$menu_item[2]];
13 if($submenu_item != NULL){
14 $tmp = $submenu_item;
15 $max = array_pop(array_keys($tmp));
16 for($i = $max; $i > 0;$i-=5){
17
18 if($submenu_item[$i] != NULL){
19 $restricted_str .= ‘|’.$submenu[$menu_item[2]][$i][2];
20 unset($submenu[$menu_item[2]][$i]);
21 }
22 }
23 }
24 unset($menu[key($menu)]);
25 }
26 }
27 $result = preg_match(‘/(.*?)/wp-admin/?(‘.$restricted_str.’)??((‘.$restricted_str.’){1})(.*?)/’,$_SERVER[‘REQUEST_URI’]);
28 if ($result != 0 && $result != FALSE){
29 wp_redirect(get_option(‘siteurl’) . ‘/wp-admin/’ . $valid_page);
30 exit(0);
31 }
32 }
33 add_action(‘admin_menu’, ‘remove_menus’);
The above function did just the thing. We will only required to provide the file name of the top level category and it will automatically disable all access to the subsequence admin sub menu. However, we will have to provide a valid page for user to gain access for the first time. The above code will disable ALL ADMIN MENU AND SUB MENU FOR ALL WORDPRESS ACCESS. The only page that was left accessible are the custom admin menu created by our user such as TweetMeme or Contact 7 form admin menu.
Concolusion
This is the way i use to remove admin menu in WordPress. We do not have to check for user access as the user will already be redirected to the specific page before they can enter the permission denial page. Have fun 🙂