Description
Multi-vendor plugins (WCFM, Dokan, MultiVendorX, WC Vendors) generally
redirect vendors to a frontend dashboard after login, and most offer a
capability toggle for “backend access.” In practice, both of those are
login-flow conveniences, not hard access controls — a vendor who directly
visits /wp-admin/ after logging in can often still land on some part of
the WordPress backend. The same gap exists for membership and course
plugins (MemberPress, LearnDash, etc.) whose members are typically just
Subscribers under the hood.
This plugin adds the missing hard block:
- Every
/wp-admin/request is checked onadmin_init. - Administrators (and any role you explicitly exempt — e.g. Shop Manager)
pass through untouched. - Everyone else is redirected: configured “vendor” roles go to your vendor
dashboard URL; everyone else goes to a default path you configure — a
MemberPress account page, a LearnDash dashboard, anything — or, if left
blank, WooCommerce My Account (if active) or the homepage. - AJAX (
admin-ajax.php), cron, and REST requests are always left alone,
since marketplace and membership plugins alike route frontend actions
through them internally. Blocking these would break the site, not just
the backend. - The admin toolbar is optionally hidden on the frontend for restricted
roles too, closing a smaller but related information leak (plugin
names/versions, site health notices).
This isn’t tied to any one plugin’s ecosystem — the lockdown itself is
plain WordPress role and capability logic. It was built with WCFM / Dokan
/ MultiVendorX / WC Vendors marketplaces in mind, but works identically
for MemberPress members, LearnDash students, or any custom role your own
code registers.
All of this is configured from Settings Konfyra Access Control — the
role checkboxes are populated from the roles actually registered on your
site, so there’s no need to guess whether your plugin calls its vendor
role vendor, seller, wcfm_vendor, or dc_vendor.
A note on trademarks
This plugin is not affiliated with, endorsed by, or sponsored by
Automattic, WooThemes/WooCommerce, weDevs (Dokan), WCFM, MultiVendorX, WC
Vendors, or MemberPress. Their names are mentioned solely to describe
compatibility.
Before enabling on a live site
Test on staging first, same as any access-control change. If you use a
Shop Manager (or similar staff) role that needs order/product screens in
wp-admin, make sure to check that role under “Roles allowed in wp-admin”
before saving — it’s exempt by default on first activation, but confirm
it after your first save.
Installation
- Upload the
konfyra-access-controlfolder to/wp-content/plugins/,
or install the zip directly via Plugins Add New Upload Plugin. - Activate the plugin.
- Go to Settings konfyra Access Control and configure which roles are
exempt, which are “vendor” roles, your vendor dashboard URL, and the
default redirect path for everyone else.
FAQ
-
My frontend AJAX calls stopped working after activating this.
-
They shouldn’t —
admin-ajax.phprequests are explicitly exempted
regardless of role. If something broke, check whether another plugin is
making a direct (non-AJAX) request into/wp-admin/to fetch data, which
is unusual but not impossible; exempt that role temporarily to confirm,
then report the specific plugin/action. -
Does this replace my marketplace or membership plugin’s own capability
-
settings? =
No — use both. This plugin is the hard enforcement layer; your other
plugin’s own capability toggles still control what a vendor or member can
see and do within their own frontend dashboard. -
I locked myself out. What do I do?
-
Connect via FTP/SFTP or your host’s file manager, rename or delete the
konfyra-access-control folder inwp-content/plugins/— WordPress
deactivates a plugin automatically if its files disappear, restoring your
own wp-admin access immediately. -
Does this work with a custom login page or SSO plugin?
-
Yes — the check runs on
admin_initregardless of how the user
authenticated, so it applies uniformly.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Konfyra Access Control” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “Konfyra Access Control” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.1.0
- Added a configurable default redirect path for any role that isn’t a
vendor role and isn’t exempt (e.g. MemberPress members, LearnDash
students) — previously this always went to WooCommerce My Account or
the homepage with no way to customize it.
1.0.0
- Initial release.
