How to Create a WordPress Back End Thatโ€™s Safe for Clients

Last Updated on September 22, 2022 by 15 Comments

How to Create a WordPress Back End Thatโ€™s Safe for Clients
Blog / Tips & Tricks / How to Create a WordPress Back End Thatโ€™s Safe for Clients

Once youโ€™ve handed over aย WordPress website to a client, it should be champagne for everyone.

Unfortunately, in reality, Murphyโ€™s Laws tends to take precedence over champagne moments. There are plenty of things that can (and do) go wrong after handover, and the client may very well be the person to unintentionally nuke his own site.ย All it takes is a bit of innocent tinkering with the theme files, plugins, or maybe even widgets, and suddenlyย youย will have a problem where there shouldnโ€™t be one.

As WordPress adds more power and the potential of complexity develops in the dashboard, it is important toย consider an approach similar to encapsulation in object-oriented programmingย by making the power of WordPress available toย clients whileย selectively hiding key functionsย in order to protect the siteย from accidental corruption.

In this post I want to give youย a number of tips andย best practicesย that will enable you to achieve something close to that. So without further ado, letโ€™s crack on with creating a WordPress back end that is safe for (and from!) clients.

Get Started with Best Practices

Before we go into the gritty details, it will serve us well to look at some best practices for security โ€“ even if they are seemingly unrelated to the topic at hand.

Basic Security Measures

A website that has the basics covered is more likely to be safe(r). So, make sure youโ€™ve executedย the simplest of security measures at a bare minimum, including:

  1. replacingย the โ€œadminโ€ username,
  2. changing the login page from the default wp-login.php, and
  3. adding brute force login protection.

For more information, take a look at Nickโ€™s WordPress security guide. Andย remember: A strong password is your first line of defence, so always pick one thatโ€™s as strong as a horse.

User Roles

The next thing on your list should be handling of user roles in WordPress.

If it can be avoided, keep the administrator role to yourself. In an ideal world, there should onlyย be one administrator.ย In a multisite installation, keep both the Super Administrator and Administrator accounts stashed away.

The administrator shouldnโ€™tย be a regular work profile; instead, encourage the client to use another account with different privileges.

Users can be assigned various roles to fit their functions on the site. Hereโ€™s a quick look at various WordPress user roles and what they can perform.

  • The SuperAdminย (available on multisite installations only) has full access to the site network.
  • The Administrator has access to all features within a single site.
  • An Editor can take control over the publishing and management of all posts and pages on a website, and additionally perform comments moderation without limitation.
  • An Author can manage, publish and edit his own posts.
  • A Contributor can manage his own posts, but cannot publish them.
  • A Subscriber only has read privileges, and cannot make any changes to the website.

The default role of a new user can be appliedย in Settings > General from the WordPress dashboard. Administrators can view and change the roles of all users by navigating toย All Users > Users.

Simplify the Dashboard for the Client

Simplifying the dashboard has multiple benefits. You get to declutter the screen to free up some real estate, and you get to hide potentially damaging options like plugin and theme editors.

Stash Away Menu Items

The WordPress dashboardโ€™sย sidebarย is full of items and options. Setting up roles for users will do away with several of these, but there mayย be a situation where you would prefer to remove some other items of your choice. This is where you use remove_menu_page() and remove_submenu_page(). You just need to add some code to your functions.php file:

// Remove specific menu items
function remove_menus(){
if ( !current_user_can( 'manage_options' ) ) {
remove_menu_page( 'tools.php' );
}
}
add_action( 'admin_menu', 'remove_menus' );

This code will remove the Tools menu for anyone who isnโ€™t the administrator. You can use the current_user_can() function to selectively choose items for user roles. The key item to remember here is the menu slug. WordPress menu names are pretty descriptive forย the slugs, but some have minor changes. This WordPress Codex example has a list of all menu slugs and the associated menus.

Keep in mind that these actions arenโ€™t supposed to remove these options for the administrator, and thus apply only to users at the Editor level and below. Also, these options donโ€™t really remove the menus; they hide them. Clientsย could still access those options through a direct hyperlink.

Add Help and Pointers

It can be useful to offer quick pointers and help to the client on the dashboard, and encourage them to call you โ€“ the developer โ€“ rather than attemptย to make changes themselvesย (even if they seem trivial). Adding a widget is a great way to let the client know where to find the right information.

// Add a custom dashboard widget

function textfor_dashboard_widget( $post, $callback_args ) {
echo "

Hello Mr. Client, remember to contact your developer before you make changes to the plugin or theme.
<ul>
	<li>Website</li>
	<li>Phone Number</li>
</ul>
";
}

function add_dashboard_widgets() {
wp_add_dashboard_widget('dashboard_widget', 'Hello Mr. Client', 'textfor_dashboard_widget');
}

add_action('wp_dashboard_setup', 'add_dashboard_widgets' );

This is how your widget will look:

Custom Dashboard Widget

Another useful thing would be adding help text toย various menu items and functions, to let the client know exactly what to expect from the item they are about to use. Custom text can be a huge help, as you can focus on the requirements of the clients. The add_help_tab() function is what you need.

// Add help text to a specific page

function adding_help_tab() {

$screen = get_current_screen();

if ( 'post' == $screen->post_type ) {

get_current_screen()->add_help_tab( array(
'id' => 'post',
'title' => ( 'Writing Guidelines' ),
'content' => '<strong>Hello, please keep these writing guidelines in mind.</strong>
<ul>
	<li>The content you add must be unique.</li>
	<li>Add relevant and exciting images with your content.</li>
	<li>Remember to add title, alt text, and a descriptive caption for your images.</li>
</ul>
',
) );
}
}
add_action( 'admin_head', 'adding_help_tab' );

And this is how it will look:

Custom Help Text in WordPress

Disable Theme and Plugin Editing

We can hide the theme and plugin editing options, but thatย may not necessarily be enough; it mayย smarter to do disable editing altogether.

A quick way of preventing theme editing isย to set the user permission on files to โ€˜644โ€™ using either chmod or an FTP client. Changes to the theme will now require the use of an FTP client.

However, a more elegant way that covers themes as well as plugins is possible withย the wp-config.php file. All you need to do is add one line:

define( 'DISALLOW_FILE_EDIT', true );

Redirect Non-Admin Users

This option is especially useful for sites that may otherwise have several people accessing the dashboard.

Simple authors and contributors could be simply whisked away to a custom page for submitting their content, rather than being allowed into the dashboard. This will require the following PHP code in your functions.php file:

// Redirect non-admin users away from dashboard to a custom url

add_action( 'init', 'redirect_non_administrator' );
 function redirect_non_administrator() {
 //Check if the user is the administrator
 if ( is_admin() && ! current_user_can( 'administrator' ) &&
 //Make sure AJAX calls aren't blocked by the redirect
 ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
 //Replace my_custom_url with the target url
 wp_redirect( 'my_custom_url' );
 exit;
 }
 }

Keeping dashboard access to only a specific few will automatically translate into a safer back end for the website.

Get Plugins on the Job

You could make quick, small changes with code, but if some sweeping changes are the order of the day, get plugins to do the job. They will allow you the flexibility to either remove a few items, or go the whole nine yards and white label the dashboard. Here are a couple of plugins to consider:

White Label CMS

White Label CMS can make website backend safer for clients

White Label CMS is a very popular and free plugin to customize the dashboard. The plugin enablesย you to customize dashboard panels and logos and remove menus, and also grantsย Editor access to certain menus and widgets.

The pluginโ€™s settings offersย four major options:

Settings Area of White Label CMS

Branding will enableย you to make cosmetic changes like:

  1. swapping the WordPress logo with your own,
  2. adding information to the footer, and
  3. introducing a custom CSS for the login page.

True to its name, the Dashboard Panels screenย enablesย you to control whichย panels to show and hide. You can also create a couple of custom widgets or add an RSS widget.

The Admin Settings can be usedย to allow a login URL redirect, or hide things like the Nag Update, Screen Options and Help Box. You can also clear up the clutter of meta boxes in page and post options, which should come as a relief. The option also allows custom CSS for the WordPress admin.

Modify Menus Option of White Label CMS

The Modify Menus Option of White Label CMS

The Modify Menus option is a major player here, and veryย relevant to our current discussion. It enablesย you to decide whichย menu options should be available to the Editor user role. This box offers two custom profiles โ€“ Website or Blog โ€“ to make the recommended menu items available to the user, or you canย select custom items. Thereโ€™s also an option to grantย the Editor access to the Appearanceย menu, which you should steer clear of unless you understand the risks involved.

Download | More Information

Ultimate Branding

Ultimate Branding Plugin Can Make the Backend Better for Clients

It is only fair that we add a paid/premium plugin to match the free offering above. Ultimate Branding is a powerful plugin that enablesย you to modify and rebrand the dashboard and login page. Apart from cosmetic changes like branding and colors, it grantsย control over dashboard widgets, user role specific menu items, fonts, customized help content area, plus many more major and minor changes.

Ultimate Branding โ€“ as the name implies โ€“ is more about modifying the dashboard to createย a custom appearance. That however, does not mean that this plugin skips over essential functionality. The settings area of the plugin offers five options: Dashboard, Text Change, Images, Admin Bar and Widgets:

Ultimate Branding Plugin Settings Area

It performs similar functions toย White Label CMSย butย is more powerful and has more options on offer (as you would expect from a premium plugin). For example, you canย even change the conventional WordPress greeting (โ€œHowdy, usernameโ€) to your own preference, or make bigger changes like deciding what widgets to show and creating a custom appearance for the dashboard.

Price: $19 monthly | More Information

Complete Customization with Dashboard Themes

Dashboard Themes have been getting a lot of attention recently, and only seem to be growing in popularity.

Theyย currently operateย in a limbo stateย between actual themes and plugins. Most of these themes actually are plugins, but itโ€™s the direction they are taking that sets them apart.

Here are a couple of quality examples to give you a taste!

Forest

Forest Dashboard Theme for WordPress
Forest has a simple agenda: to makeย the dashboard look good. Itย can control menu items, widgets and the login page, all while looking fabulous with a custom design.

This theme is geared towards eCommerce, andย you will find that the menu and widgets have been modified to suit. The settings area has options for changing theย appearance of the dashboard as well as the login page. You canย also add your custom CSS.

Price: $14 | More Information

Easy Blogging

Easy Blogging Theme for a Simplified Dashboard
Forest might want to look fabulous, but Easy Blogging wants to simplify things as far as it can. The theme is especially designed to simplify the Dashboard, which is exactly what we want. As with others, this theme will grantย control over menu options, widgets, login page and the dashboard.

Easy Blogging is geared at novice users who want to get their work done, plain and simple, without having to deal with a single shred of complexity. It strips the dashboard down to the essentials of pages, posts and comments, thus making it an area free of possible trouble. If you have a mind to go back to the complexities of the conventional dashboard (especially for admin purposes), you can quit โ€˜simple modeโ€™ and get to work. It pretty much makes the dashboard foolproof โ€“ at least where the possibility of keeping the site safe from accidental damage is concerned.

Price: $19 monthly | More Information

Custom Code the Backend

Letโ€™s finish off with an ambitious suggestion:ย Create your very own custom theme for the Dashboard (via a plugin).ย Doing so will giveย youย the greatest possibleย control over your work and enable you to createย a trulyย safe WordPress backend that (1) you want, and (2) your clients deserve.

The possibilities with such an option are huge. For example, you could create a seamless transition from the WordPress frontย end to back end, making it less intimidating and much simpler for the client.

Iโ€™ll leave it there as a tantalizing suggestion. If youโ€™re interesting inย us exploring this topic further, let me know in the comments section below!

Conclusion

The defaultย WordPress back end can be overwhelming for clients โ€“ especially novices. Simple mistakes or changes from the client can createย big trouble for the website. As such,ย itโ€™s worth the time and effort โ€“ for the client as well as the developer โ€“ to delve into methodsย that make the WordPress back end client-proof. You can great a best-of-both-worlds scenario:ย The complexity of the dashboard can be hidden away from the client without compromising the power of WordPress.

We have listed several tips forย the backend safer for clients in this post, but there are of course many other options. Customized dashboard themes are especially promising โ€“ they add more power whileย hiding the complexity. The dashboard could become a powerhouse with custom widgets and increased functionality for clients.

What measures do you take to simplifyย the WordPress dashboard and make websites โ€˜client-proofโ€™? Share with us in the comments section below!

Image courtesy ofย Voin_Sveta / shutterstock

Divi Cyber-monday Sale

It's The Divi Cyber Monday Sale! Save Big For A Limited Time ๐Ÿ‘‡

Save big on Divi and Divi products for a limited time.

Access The Sale
Divi Cyber-monday
Premade Layouts

Check Out These Related Posts

Splice Video Editor: An Overview and Review

Splice Video Editor: An Overview and Review

Updated on March 10, 2023 in Tips & Tricks

Video is a valuable form of content for social media. Unfortunately, creating quality videos is usually a long process that involves moving mobile footage to a desktop app for editing. However, mobile editing is on the rise. Apps such as Splice Video Editor make it possible to efficiently create...

View Full Post
How to Use Font Awesome On Your WordPress Website

How to Use Font Awesome On Your WordPress Website

Updated on September 16, 2022 in Tips & Tricks

When given the choice between using a vector icon or a static image, it’s a good idea to go with the vector. They’re small and fast to load, and they can scale to any size without a loss of resolution. Font Awesome is a superb library of vector icons that you can use on your websites,...

View Full Post

15 Comments

  1. Hi! Very nice topic! It’s simply very well written and useful!
    I was interested on how to create my very own custom theme for the Dashboard. Could you please explain more about that?
    Thanks!
    ๐Ÿ™‚

  2. Thank you Tom that share most important tip to improve WordPress security for client. I will add them in my checklist to make sure my plugin or backend code is strong.

  3. Actually,security is very important for our wp site.we should backup our client site regularly also we should check their site security loophole.i got very useful information form this post.thanks for your hard work.

  4. Maybe this is the wrong place for this comment, but how do you go about keeping your layout safe FROM clients?

    Especially when using things like Divi and other Visual Composer type layout builders?

    How do you keep your client from severely breaking the layout of the site while letting them manage their own content?

    • Kevin, I don’t think it matters what you do, some clients will change your carefully crafted work into something that looks like a 6 year old did it. They don’t understand that whilst their website may be about them, it’s not for them. It doesn’t matter to them that what you did falls into line with web design practices, and meets the ‘above the fold’ requirements, they want to put their own stamp on it. And let’s face it, some people don’t have very good taste. It drives me crazy.

      • I agree. You spend a lot of time putting together a nice site. Then the client want’s the ability to add pages and blog posts, etc. Unfortunately, they will never conform to our layout style because they don’t see the site and design like we do. This is the downfall of WP. Even if you give them and Editor Role, they still have access to ruin the site layout and add a bunch of junk. I think WP should add custom options within the role status core. The White Label CMS has options, but if you enable adding pages, there’s really nothing you can do. Even if you train your client. Remember they are paying us to build a site. If they could do it, they wouldn’t be hiring us. Then you want to backlink their site to yours to show off your work. A new client visits the site and thinks this is nice until they start navigating. Only to find out it looks like the client let their 10 year old nephew who likes to draw and play on the ipad get in their and start “playing”. Very frustrating indeed.

        • After each build, I do a video walkthrough of the site the way I designed it – that way I can show my work when I handed it off. The live site can confirm the layout I did is still in use, but the video shows how it was when it was first created. Makes a nice internal portfolio too: users don’t have to leave your site to see your work.

  5. Thank you for this post!

    do you have more explanation for:

    1. changing the login page from the default wp-login.php, and
    2. adding brute force login protection.

    do you use a plugin?

    • Jimmy,

      Brute force is available with most security plugins, including Wordfence, iThemes Security, & JetPack. Read more about JetPack’s offering on WPTavern http://wptavern.com/jetpack-3-4-adds-protection-against-brute-force-attacks

      You can use iThemes Security plugin to also change the default wp-login.php file. Just backup your site before messing around with any of the security plugins as the can cause issues depending on your setup.

      Remember that hiding the login by changing your URL is a version of security by obscurity, a minimal defense tactic, & many (if not most) attackers will find that page anyway. I still think it’s worth doing, but don’t get a false sense of security from it. Change your salt keys, use strong login credentials, keep regular backups, & follow WP’s codex for additional security hardening tips: http://codex.wordpress.org/Hardening_WordPress

    • I’d like more tips on these two things, as well!

      Perfect timing, as usual, for this article. The WP admin is overwhelming for many of my non-technical clients and I have been wanting to do some research on simplifying it. Thanks for coming to the rescue yet again, ET!

  6. Awesome post! I am in the market for just a thing. I would love to hear more form you guys on the subject if you dig any deeper.

  7. This is a great article. I highly recommend another plugin be added to the list.

    AAM- advanced access manager

    I use it on all of my sites. You can restrict which menu functions, plugins, pages, posts, widgets, etc. each specific user, or user role has access to. It is a must have for clients. I use AAM along with White Label CMS for a perfect white label experience.

  8. Thanks for the tips. I do like the idea of simplifying the display and disabling certain functions. However, I’m reluctant to white-label or visually change the back end for a couple of reasons. One, it seems more beneficial that clients know what CMS they’re using and the company behind it. Two, if you change the dashboard too much, WordPress training videos and tutorials (such as those from WP101) might be confusing. Have you experienced any downsides?

  9. Just wandering if the coding and plugins work well with Divi. I haven’t used a Divi myself, but I know that ET has a custom dashboard

    • Yes it works. The ET custom dashboard is just theme options that work great with WordPress ecosystem.

Leave A Reply

Comments are reviewed and must adhere to our comments policy.

๐Ÿ‘‹ It's The Divi
Cyber Monday Sale!
Get The Deal
Before It's Gone!
Get Started With Divi