I recently had to setup a demo site with a demo user in WordPress and wanted to lock down the user as much as possible to prevent any bad behavior. Creating a new role with limited permissions is easy but I had to spend some time to figure out how to prevent a user from editing their own profile. There is not really any good way to do this with what actions/filters in the profile.php/user_edit.php files, so I decided the best thing to do would be to kill the page on the load action. Here is the function I came up with:

admin.php called the action ‘load-$pagenow’, $pagenow variable is profile.php for the profile and user-edit.php for the user edit screen. You have to handle both pages because a clever WordPress user might know that they can edit their profile with both pages. So, when these actions are called, I call my function that disables the page. Because this is a demo site with a single demo user, I just care about blocking it for that user id. So, I get the current logged in user’s information, check to see if that user is the user I want to block, then run the wp_die() command which is a much cleaner version of the PHP die comment. That’s it, now you can block the profile.php page from ever being displayed by a user, even when accessed directly.

8 Comments

  1. Can you please tell me where do I place this in order to use it? It would be a big help thank you.
    function disable_user_profile() {

    if ( is_admin() ) {

    $user = wp_get_current_user();

    if ( 2 == $user->ID )
    wp_die( ‘You are not allowed to edit the user profile on this demo.’ );

    }

    }
    add_action( ‘load-profile.php’, ‘disable_user_profile’ );
    add_action( ‘load-user-edit.php’, ‘disable_user_profile’ );

  2. Hi Lew,

    A very nice snippet, just one question here. What if we want to do this for all subsribers and contributers?

    1. That’s easy…

      1. Thank you for the fast responce, is instead the wp_die also a redict to home possible?
        I tried wp_redirect(home_url()); but that seems not to work for wahtever reason.
        Thanks in advance for all time and effort.

        1. wp_redirect has to be called earlier than the load-profile.php and load-user-edit.php actions. You’d probably have to call an earlier action (I think ‘wp’ would work) and check for the hook_suffix (or some similar global variable) to redirect.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.