{"id":338347,"date":"2026-07-14T17:54:42","date_gmt":"2026-07-14T17:54:42","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/konfyra-access-control\/"},"modified":"2026-07-14T17:39:22","modified_gmt":"2026-07-14T17:39:22","slug":"konfyra-access-control","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/konfyra-access-control\/","author":23444247,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.1.0","stable_tag":"trunk","tested":"7.0.1","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"Konfyra Access Control","header_author":"Sill Software","header_description":"Restricts \/wp-admin\/ to Administrators (and any roles you explicitly exempt, e.g. Shop Manager). Every other logged-in role is redirected to a page you configure instead of seeing any part of the WordPress backend. Works with any plugin's roles \u2014 WCFM\/Dokan\/MultiVendorX\/WC Vendors vendors, MemberPress members, or any custom role \u2014 since the lockdown logic is plain WordPress role\/capability checks, not tied to any one plugin.","assets_banners_color":"97b2c0","last_updated":"2026-07-14 17:39:22","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"https:\/\/konfyra.com\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":26,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"gsrcoimbatore","date":"2026-07-14 18:01:45"}},"upgrade_notice":{"1.1.0":"<p>Adds a configurable default redirect path. Existing installs keep their\ncurrent WooCommerce\/homepage fallback behavior automatically \u2014 no action\nrequired unless you want to customize it.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3607900,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3607900,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3607900,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3607900,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Settings \u2192 Konfyra Access Control \u2014 role checkboxes, vendor dashboard\npath, default redirect path, and the admin-bar toggle."}},"plugin_section":[],"plugin_tags":[1912,1932,22914,600,286],"plugin_category":[45,54,58],"plugin_contributors":[271533],"plugin_business_model":[],"class_list":["post-338347","plugin","type-plugin","status-publish","hentry","plugin_tags-access-control","plugin_tags-membership","plugin_tags-multivendor","plugin_tags-security","plugin_tags-woocommerce","plugin_category-ecommerce","plugin_category-security-and-spam-protection","plugin_category-user-management","plugin_contributors-gsrcoimbatore","plugin_committers-gsrcoimbatore"],"banners":{"banner":"https:\/\/ps.w.org\/konfyra-access-control\/assets\/banner-772x250.png?rev=3607900","banner_2x":"https:\/\/ps.w.org\/konfyra-access-control\/assets\/banner-1544x500.png?rev=3607900","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/konfyra-access-control\/assets\/icon-128x128.png?rev=3607900","icon_2x":"https:\/\/ps.w.org\/konfyra-access-control\/assets\/icon-256x256.png?rev=3607900","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>Multi-vendor plugins (WCFM, Dokan, MultiVendorX, WC Vendors) generally\nredirect vendors to a frontend dashboard <em>after login<\/em>, and most offer a\ncapability toggle for \"backend access.\" In practice, both of those are\nlogin-flow conveniences, not hard access controls \u2014 a vendor who directly\nvisits <code>\/wp-admin\/<\/code> after logging in can often still land on some part of\nthe WordPress backend. The same gap exists for membership and course\nplugins (MemberPress, LearnDash, etc.) whose members are typically just\nSubscribers under the hood.<\/p>\n\n<p>This plugin adds the missing hard block:<\/p>\n\n<ul>\n<li>Every <code>\/wp-admin\/<\/code> request is checked on <code>admin_init<\/code>.<\/li>\n<li>Administrators (and any role you explicitly exempt \u2014 e.g. Shop Manager)\npass through untouched.<\/li>\n<li>Everyone else is redirected: configured \"vendor\" roles go to your vendor\ndashboard URL; everyone else goes to a default path you configure \u2014 a\nMemberPress account page, a LearnDash dashboard, anything \u2014 or, if left\nblank, WooCommerce My Account (if active) or the homepage.<\/li>\n<li>AJAX (<code>admin-ajax.php<\/code>), cron, and REST requests are always left alone,\nsince marketplace and membership plugins alike route frontend actions\nthrough them internally. Blocking these would break the site, not just\nthe backend.<\/li>\n<li>The admin toolbar is optionally hidden on the frontend for restricted\nroles too, closing a smaller but related information leak (plugin\nnames\/versions, site health notices).<\/li>\n<\/ul>\n\n<p>This isn't tied to any one plugin's ecosystem \u2014 the lockdown itself is\nplain WordPress role and capability logic. It was built with WCFM \/ Dokan\n\/ MultiVendorX \/ WC Vendors marketplaces in mind, but works identically\nfor MemberPress members, LearnDash students, or any custom role your own\ncode registers.<\/p>\n\n<p>All of this is configured from <strong>Settings \u2192 Konfyra Access Control<\/strong> \u2014 the\nrole checkboxes are populated from the roles actually registered on your\nsite, so there's no need to guess whether your plugin calls its vendor\nrole <code>vendor<\/code>, <code>seller<\/code>, <code>wcfm_vendor<\/code>, or <code>dc_vendor<\/code>.<\/p>\n\n<h4>A note on trademarks<\/h4>\n\n<p>This plugin is not affiliated with, endorsed by, or sponsored by\nAutomattic, WooThemes\/WooCommerce, weDevs (Dokan), WCFM, MultiVendorX, WC\nVendors, or MemberPress. Their names are mentioned solely to describe\ncompatibility.<\/p>\n\n<h4>Before enabling on a live site<\/h4>\n\n<p>Test on staging first, same as any access-control change. If you use a\nShop Manager (or similar staff) role that needs order\/product screens in\nwp-admin, make sure to check that role under \"Roles allowed in wp-admin\"\nbefore saving \u2014 it's exempt by default on first activation, but confirm\nit after your first save.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>konfyra-access-control<\/code> folder to <code>\/wp-content\/plugins\/<\/code>,\nor install the zip directly via Plugins \u2192 Add New \u2192 Upload Plugin.<\/li>\n<li>Activate the plugin.<\/li>\n<li>Go to Settings \u2192 konfyra Access Control and configure which roles are\nexempt, which are \"vendor\" roles, your vendor dashboard URL, and the\ndefault redirect path for everyone else.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"my%20frontend%20ajax%20calls%20stopped%20working%20after%20activating%20this.\"><h3>My frontend AJAX calls stopped working after activating this.<\/h3><\/dt>\n<dd><p>They shouldn't \u2014 <code>admin-ajax.php<\/code> requests are explicitly exempted\nregardless of role. If something broke, check whether another plugin is\nmaking a direct (non-AJAX) request into <code>\/wp-admin\/<\/code> to fetch data, which\nis unusual but not impossible; exempt that role temporarily to confirm,\nthen report the specific plugin\/action.<\/p><\/dd>\n<dt id=\"does%20this%20replace%20my%20marketplace%20or%20membership%20plugin%27s%20own%20capability\"><h3>Does this replace my marketplace or membership plugin's own capability<\/h3><\/dt>\n<dd><p>settings? =<\/p>\n\n<p>No \u2014 use both. This plugin is the hard enforcement layer; your other\nplugin's own capability toggles still control what a vendor or member can\nsee and do <em>within<\/em> their own frontend dashboard.<\/p><\/dd>\n<dt id=\"i%20locked%20myself%20out.%20what%20do%20i%20do%3F\"><h3>I locked myself out. What do I do?<\/h3><\/dt>\n<dd><p>Connect via FTP\/SFTP or your host's file manager, rename or delete the\n    konfyra-access-control folder in <code>wp-content\/plugins\/<\/code> \u2014 WordPress\ndeactivates a plugin automatically if its files disappear, restoring your\nown wp-admin access immediately.<\/p><\/dd>\n<dt id=\"does%20this%20work%20with%20a%20custom%20login%20page%20or%20sso%20plugin%3F\"><h3>Does this work with a custom login page or SSO plugin?<\/h3><\/dt>\n<dd><p>Yes \u2014 the check runs on <code>admin_init<\/code> regardless of how the user\nauthenticated, so it applies uniformly.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Added a configurable default redirect path for any role that isn't a\nvendor role and isn't exempt (e.g. MemberPress members, LearnDash\nstudents) \u2014 previously this always went to WooCommerce My Account or\nthe homepage with no way to customize it.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<\/ul>","raw_excerpt":"Locks non-admin roles out of wp-admin entirely, redirecting them to a frontend page you choose instead.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/338347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=338347"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/gsrcoimbatore"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=338347"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=338347"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=338347"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=338347"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=338347"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=338347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}