Konfyra Access Control

Description

Multi-vendor plugins (WCFM, Dokan, MultiVendorX, WC Vendors) generally
redirect vendors to a frontend dashboard after login, and most offer a
capability toggle for “backend access.” In practice, both of those are
login-flow conveniences, not hard access controls — a vendor who directly
visits /wp-admin/ after logging in can often still land on some part of
the WordPress backend. The same gap exists for membership and course
plugins (MemberPress, LearnDash, etc.) whose members are typically just
Subscribers under the hood.

This plugin adds the missing hard block:

  • Every /wp-admin/ request is checked on admin_init.
  • Administrators (and any role you explicitly exempt — e.g. Shop Manager)
    pass through untouched.
  • Everyone else is redirected: configured “vendor” roles go to your vendor
    dashboard URL; everyone else goes to a default path you configure — a
    MemberPress account page, a LearnDash dashboard, anything — or, if left
    blank, WooCommerce My Account (if active) or the homepage.
  • AJAX (admin-ajax.php), cron, and REST requests are always left alone,
    since marketplace and membership plugins alike route frontend actions
    through them internally. Blocking these would break the site, not just
    the backend.
  • The admin toolbar is optionally hidden on the frontend for restricted
    roles too, closing a smaller but related information leak (plugin
    names/versions, site health notices).

This isn’t tied to any one plugin’s ecosystem — the lockdown itself is
plain WordPress role and capability logic. It was built with WCFM / Dokan
/ MultiVendorX / WC Vendors marketplaces in mind, but works identically
for MemberPress members, LearnDash students, or any custom role your own
code registers.

All of this is configured from Settings Konfyra Access Control — the
role checkboxes are populated from the roles actually registered on your
site, so there’s no need to guess whether your plugin calls its vendor
role vendor, seller, wcfm_vendor, or dc_vendor.

A note on trademarks

This plugin is not affiliated with, endorsed by, or sponsored by
Automattic, WooThemes/WooCommerce, weDevs (Dokan), WCFM, MultiVendorX, WC
Vendors, or MemberPress. Their names are mentioned solely to describe
compatibility.

Before enabling on a live site

Test on staging first, same as any access-control change. If you use a
Shop Manager (or similar staff) role that needs order/product screens in
wp-admin, make sure to check that role under “Roles allowed in wp-admin”
before saving — it’s exempt by default on first activation, but confirm
it after your first save.

Installation

  1. Upload the konfyra-access-control folder to /wp-content/plugins/,
    or install the zip directly via Plugins Add New Upload Plugin.
  2. Activate the plugin.
  3. Go to Settings konfyra Access Control and configure which roles are
    exempt, which are “vendor” roles, your vendor dashboard URL, and the
    default redirect path for everyone else.

FAQ

My frontend AJAX calls stopped working after activating this.

They shouldn’t — admin-ajax.php requests are explicitly exempted
regardless of role. If something broke, check whether another plugin is
making a direct (non-AJAX) request into /wp-admin/ to fetch data, which
is unusual but not impossible; exempt that role temporarily to confirm,
then report the specific plugin/action.

Does this replace my marketplace or membership plugin’s own capability

settings? =

No — use both. This plugin is the hard enforcement layer; your other
plugin’s own capability toggles still control what a vendor or member can
see and do within their own frontend dashboard.

I locked myself out. What do I do?

Connect via FTP/SFTP or your host’s file manager, rename or delete the
konfyra-access-control folder in wp-content/plugins/ — WordPress
deactivates a plugin automatically if its files disappear, restoring your
own wp-admin access immediately.

Does this work with a custom login page or SSO plugin?

Yes — the check runs on admin_init regardless of how the user
authenticated, so it applies uniformly.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Konfyra Access Control” is open source software. The following people have contributed to this plugin.

Contributors

Changelog

1.1.0

  • Added a configurable default redirect path for any role that isn’t a
    vendor role and isn’t exempt (e.g. MemberPress members, LearnDash
    students) — previously this always went to WooCommerce My Account or
    the homepage with no way to customize it.

1.0.0

  • Initial release.