Description
Limited Admin Role adds a custom WordPress role called Admin Panel Manager that gives a user broad content and product management access — but blocks access to WooCommerce Orders, Customers, Users, and sensitive reports.
Key Features:
- 🔐 Granular capability grid — enable or disable every WordPress & WooCommerce capability from the settings UI, organized into 15 categories
- 🚫 Block WooCommerce Orders, Customers, Analytics, and WordPress Users (menu + URL + REST API)
- 🧩 Plugin Access Deny — per-plugin admin page blocking via a dedicated submenu
- 🔑 Plugins view-only — can see installed plugins list but cannot install/activate/deactivate/update/delete
- 🕐 Configurable session timeout (default 12 hours) — forces logout regardless of “Remember Me”
- ✅ Compatible with Rank Math, Yoast SEO, WooCommerce HPOS, and Cloudflare
Capability Categories:
- Core Access, Posts, Pages, Media, Appearance & Themes
- Plugins, Users, WordPress Updates
- WooCommerce Products, Orders, Coupons, Reports & Analytics, Settings, Customers
- Comments
License
This plugin is licensed under the GNU General Public License v2.0 or later.
Full license text: https://www.gnu.org/licenses/gpl-2.0.html
Installation
- Upload the
limited-admin-rolefolder to/wp-content/plugins/or install via Plugins Add New Upload Plugin. - Activate the plugin through the Plugins menu.
- The Admin Panel Manager role is created automatically on activation.
- Configure settings at Limited Admin Role in the WordPress admin sidebar.
- Assign the role to users via Users Add New or Users Edit User Role.
FAQ
-
How do I assign the role to a user?
-
Go to Users Add New and set the Role dropdown to Admin Panel Manager. Or edit an existing user and change their role.
-
Can I change which capabilities are granted?
-
Yes. Go to Limited Admin Role Settings Capabilities tab. Every capability is listed with a checkbox — check to grant, uncheck to deny. Changes apply immediately on save.
-
How does the session timeout work?
-
On login, the plugin records a timestamp. On every admin page load, it checks if the elapsed time exceeds the configured limit (default: 12 hours). If so, the session is destroyed and the user is redirected to the login page with a “Session expired” message. The auth cookie is also clamped so “Remember Me” cannot extend beyond the limit.
-
Can the user install or activate plugins?
-
No. Plugin installation, activation, deactivation, update, and deletion are always blocked. The user can view the installed plugins list (read-only). You can toggle even view access from the Capabilities tab (activate_plugins cap).
-
How does Plugin Access Deny work?
-
Go to Limited Admin Role Plugin Access Deny. Every active plugin and its detected admin pages are listed. Check any pages to block them for the Admin Panel Manager role.
-
Is it compatible with WooCommerce HPOS?
-
Yes. Both the legacy
post_type=shop_orderURL and the new HPOSpage=wc-ordersURL are blocked. -
Does it work with Rank Math and Yoast SEO?
-
Yes. Both plugins show their meta boxes to any user with
edit_postscapability, which this role has by default.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Limited Admin Role” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Limited Admin Role” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
2.3.0
- Fixed: Rank Math REST API calls (/wp-json/rankmath/v1/updateSettings) returning 403 — SEO plugin REST routes are now always whitelisted
- Fixed: manage_options is temporarily elevated during any SEO plugin REST request so save/update operations work correctly
- Improved: Capabilities tab now shows SEO plugin sections only when that plugin is actually installed — each setting as its own row, all defaulting to enabled
- Improved: Rank Math redirections, 404 monitor, analytics, site analysis — all individually controllable per row
- Improved: Yoast and AIOSEO caps similarly separated with all defaults on
2.2.0
- Fixed: Replaced inline <style> echo in access control with wp_add_inline_style() (WordPress.org requirement)
- Fixed: Replaced inline <style> and <script> in Plugin Access Deny page with wp_add_inline_style() and wp_add_inline_script() (WordPress.org requirement)
- Improved: Plugin Access Deny now uses explicit slug patterns for Rank Math, Yoast, AIOSEO, WooCommerce and other major plugins — all their admin pages reliably appear in the deny list
- Added: Author URI field in plugin header
- Updated: Contributors field in readme.txt
2.1.0
- Fixed: SEO plugins (Rank Math, Rank Math Pro, Yoast SEO, Yoast Premium, AIOSEO, AIOSEO Pro) now fully unrestricted — all caps pass through freely
- Added: SEO Plugins capability category with 15 caps across all supported plugins
- Added: Auto-detection of active SEO plugins shown on General tab
- Fixed: WordPress.Security.EscapeOutput errors (escaped $found with wp_kses, $bg with esc_attr)
2.0.0
- Added full capabilities registry with 15 categorized sections
- Added per-capability checkbox grid in settings UI
- Added Plugin Access Deny submenu for per-plugin admin page blocking
- Added Grant All / Deny All per category, search/filter, Restore Defaults
- Added toggle switches for quick access blocks
- Added unsaved-changes warning in settings
- Rebuilt settings page with tabbed UI
- All v1 features preserved
1.1.0
- Added plugin view-only mode (can see installed plugins list, all actions blocked)
- Added CSS hiding of plugin action links and bulk-action controls
- Removed Plugins menu from sidebar (now kept visible as read-only)
1.0.0
- Initial release
- Custom Admin Panel Manager role
- WooCommerce Orders, Customers, Users, Reports blocking
- 12-hour session timeout with configurable settings page
- REST API blocking for orders, customers, users
- Compatible with Rank Math, Yoast SEO, WooCommerce HPOS