So i’ve installed a plug-in which allows me to enable two-factor authentication for my users. The problem is that to enable the plug-in i have to log in as that user and enable it via their profile page (wp-admin).
This isn’t a problem except for the fact that there’s nothing stopping the users from logging in and disabling the two factor authentication which is an issue.
I’ve looked around at a few issues and none have seemed to work, essentially i want restrict backend access to only a select few (myself and few others).
I’ve tried stealth login and a few some htaccess solutions and none have seemed to work.
Any ideas?
3 Answers
You could make it a mu-plugin (‘Must Use’ plugin). Any PHP file you put into /wp-content/mu-plugins/ will automatically get included in WordPress. You can’t deactivate the plugin (unless you have ftp access to the server). If you go with a mu-plugin, make sure to put the functionality into a subdirectory and bootstrap it with a php file in the mu-plugins directory.
EDIT
After reading the comment, I think I understand the problem better. It sounds like you want to be able to lock people out of the admin altogether. That’s not so difficult. Try this:
function my_awesome_admin_lockout(){
if( is_admin() && !current_user_can( 'manage_options' ) ) {
wp_redirect( home_url() );
die();
}
}
add_action( 'init', 'my_awesome_admin_lockout' );
Basically, that locks everybody but admins out of the admin area.
