Skip to main content

Understanding the Backend Menu Restricted Mode feature

Vasyl MartyniukBackend AccessAbout 2 min

WordPress is a versatile platform that allows users to create and manage websites with ease. One essential aspect of WordPress is controlling access to the backend, where website administrators and contributors perform various tasks. This access control is typically managed through roles and capabilities. However, some WordPress plugins and themes may reuse core capabilities, potentially leading to unintended behavior. In this article, we'll explore the challenges of managing backend access in WordPress and introduce a solution: the AAM "Backend Menu Restricted Mode".


WordPress employs a system of roles and capabilities to regulate what users can do within the platform. By default, WordPress provides several predefined roles, such as "Administrator", "Editor", "Author", "Contributor" and "Subscriber". Each role has its set of capabilities, defining the actions users with that role can perform. Administrators have the most extensive capabilities, while Subscribers have the least.

However, the intricacies of backend access control don't stop at predefined roles. Many plugins and themes developed for WordPress rely on these core capabilities to control access to their specific functionality. While this approach can be convenient, it can also lead to undesirable outcomes.

The pitfalls of reused capabilities

One common issue arises when plugins or themes reuse core capabilities like manage_options or edit_pages to control access to their features. When these capabilities are granted to users with even the lowest role, such as "Subscriber," it can result in unintended access to information and functionality that they should not be able to see.

As the roles become more advanced, the problem exacerbates. Higher-level roles, like "Editor" or "Author", may inadvertently gain access to features introduced by plugins or themes, creating security and data integrity concerns. Additionally, as plugins and themes evolve with updates, new functionality can become accessible to users who should not have access, further complicating the situation.

The solution

To address these challenges, Advanced Access Manager (AAM) introduces the "Backend Menu Restricted Mode". This feature offers an effective solution for managing backend access control in WordPress.

AAM Backend Menu Restricted Mode

By enabling the restricted mode, all backend menu items become inaccessible by default, unless explicitly allowed. Here's how AAM's restricted mode mitigates the aforementioned risks:

  • Prevent Unauthorized Access. AAM restricts access to existing plugin or theme functionality that users should not have access to based on their roles.
  • Manage Updates Effectively. When plugins or themes receive updates, AAM ensures that access to new functionality introduced by these updates is controlled according to the website's access policies.
  • Adapt to Changes. As new plugins or themes are added to the WordPress site, AAM's restricted mode prevents unintended access to their functionality until it's explicitly allowed.
  • Granular Control. AAM's restricted mode enables website administrators to prevent access to specific backend menu items even when commonly reused capabilities like manage_options or edit_pages are granted to users.


Managing backend access in WordPress is crucial to maintain security, data integrity, and overall website functionality. While roles and capabilities provide a foundation for access control, the reuse of core capabilities by plugins and themes can introduce complexities and security risks.

AAM's "Backend Menu Restricted Mode" offers a practical solution to these challenges, allowing website administrators to have granular control over who can access specific backend menu items. By enabling this feature, you can ensure that users only access the functionality they are explicitly allowed to, reducing the risk of unauthorized access and potential security vulnerabilities.

In the ever-evolving landscape of WordPress, having a robust access control mechanism like AAM's restricted mode is a valuable tool for website administrators, ensuring that their WordPress sites remain secure, compliant, and efficient.