If you are setting up a WordPress site for your clients (or friends), you want to do your best to make WordPress easy for them to use and without them being able to make big changes that can damage the site.
If your goal is to create a site that matches users’ needs, then you’ll want to dumb it down and remove all extraneous functionalities. An effective setup should naturally prevent any WordPress user error. Let’s examine your options for avoiding a WordPress error while still making it easier for your client to use.
1. Limit administrator accounts
Some team members or clients may be proficient in using WordPress while others aren’t. The WordPress admin role puts both power and responsibility on whoever assumes that position. If a client or user isn’t a proficient WordPress user, then you should limit their responsibility to that of an editor. Set up a separate admin account for them; this prevents them from poking into sensitive parts of the site.
You may hold admin credentials until the client is able to manage the account. Alternatively, you may give the client both admin and editor credentials. If choosing the latter, let them save the more sensitive admin login for only the times when they need to perform high-level admin functions.
Limiting admin accounts is good for security and other operational vulnerabilities. It also makes the dashboard user interface less overwhelming for new WordPress users.
2. Turn off theme customizer options
Parent themes can offer customization options that are in dissonance with their child themes. This dissonance due to theme customization options may cause codes to break, or these customization options may simply be unused in the child theme.
Using the theme customizer API for WordPress, it’s easy to remove the parent theme’s customization options by adding a code (such as the one below) to your theme’s “functions.php” file. Each line in the snippet below matches a theme customization option. You can disable any line of customization by uncommenting that line.
# Remove customizer options. function mte_remove_customizer_options( $wp_customize ) { // $wp_customize->remove_section( 'static_front_page' ); // $wp_customize->remove_section( 'title_tagline' ); $wp_customize->remove_section( 'colors' ); $wp_customize->remove_section( 'header_image' ); $wp_customize->remove_section( 'background_image' ); // $wp_customize->remove_section( 'nav' ); // $wp_customize->remove_section( 'themes' ); // $wp_customize->remove_section( 'featured_content' ); // $wp_customize->remove_panel( 'widgets' ); } add_action( 'customize_register', 'mte_remove_customizer_options', 30 );
3. Use only relevant dashboard menu items
Not every WordPress website performs the same functions. In some cases a site may not need a blog. We can cut clutter by removing the number of menus on the dashboard, as this makes the dashboard less confusing for users. In the example here, a Post menu is not needed, so we would add the code snippet below to the “functions.php” to hide that functionality.
Each code snippet line below matches a specific dashboard menu. The file names used below may not always match the particular menu name used on your dashboard; only use the commented lines below as a quick reference.
function mte_custom_menu_page_removing() { // remove_menu_page( 'index.php' ); //Dashboard // remove_menu_page( 'jetpack' ); //Jetpack* remove_menu_page( 'edit.php' ); //Posts remove_menu_page( 'upload.php' ); //Media // remove_menu_page( 'edit.php?post_type=page' ); //Pages remove_menu_page( 'edit-comments.php' ); //Comments // remove_menu_page( 'themes.php' ); //Appearance // remove_menu_page( 'plugins.php' ); //Plugins // remove_menu_page( 'users.php' ); //Users // remove_menu_page( 'tools.php' ); //Tools // remove_menu_page( 'options-general.php' ); //Settings } add_action( 'admin_menu', 'mte_custom_menu_page_removing' );
Before you hide the Post menu it looks like the following image.
After you hide the Post menu it looks like the following image.
Removing the Post menu is not the same as revoking user permissions. A user may directly access the hidden Post menu by directly using the URL. Hiding menus in this way is great for removing dashboard clutter. However, if you’d rather prevent users from accessing this menu at all, then you’ll want to modify user roles. The code snippet below should be added to the activation hook of a plugin. (This would only need to run once.)
global $wp_roles; // global class $role = 'author'; $cap = 'delete_published_posts'; $wp_roles->remove_cap( $role, $cap );
4. Set up and use an mu-plugin directory
Very few developers have heard of the “mu-plugins” directory. Your mu-plugin directory is an alternative location for installing plugins. The prefix “mu” means “must use.” Plugins installed in the mu-plugin directory cannot be accidentally disabled throughout the dashboard, and they do not need to be manually activated – they are automatically activated.
Plugins installed in the mu-plugins directory load before other plugins. This preference for loading “must use” plugins first is beneficial for vital website plugins. Plugins that must be present for your site to run smoothly should be used in the mu-plugin directory. Another benefit of using the mu-plugin directory is that content added to it remains active irrespective of being unchanged and irrespective of theme changes or alterations.
Since the mu-plugin directory doesn’t come with WordPress, you’ll have to create it yourself inside of your “wp-content” folder.
There’s a limitation, though. WordPress ignores codes inside of a subdirectory and will only search “mu-plugins” files in the top level. To remove this limitation, you’ll create one PHP file that sits at the top of your “mu-plugins;” code from a sibling subdirectory would then be loaded using that PHP file.
Another mu-plugin limitation is that you will not get update notifications. For this reason treat mu-plugins as a place for important codes that your client shouldn’t have to think about. The Codex offers more information about mu-plugins.
5. Turn off your site’s plugin and theme editors
It’s not professional to edit a live WordPress site’s plugin and theme files directly from the dashboard. It can lead to the site breaking. Live-editing your site also exposes it to hackers. To disable live-editing for themes and plugins, put this code in your site’s “wp-config.php” file. This code disables both theme and plugin editors.
define( 'DISALLOW_FILE_EDIT', true );
Wrapping up
In summary, you can reduce the likelihood of WordPress user errors by limiting administrator accounts, turning off theme customizer options, using only relevant dashboard menu items, setting up and using a mu-plugin directory, and turning off your site’s plugin and theme editors. We’d love to see your comments concerning these tips. Leave your comments below.
Nicholas Godwin is a technology researcher who helps businesses tell profitable brand stories that their audiences love. He’s worked on projects for Fortune 500 companies, global tech corporations and top consulting firms, from Bloomberg Beta, Accenture, PwC, and Deloitte to HP, Shell, and AT&T. You may follow his work on Twitter or simply say hello. His website is Tech Write Researcher.
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox
Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe