In your case best solution is create your own custm role and assign them only the capabilities you users need. Regarding wordpress, for what I can understand from your question the only cabability you should give them is read.
In this way they will see only the profile. Problems start with the plugin, you don’t say (or I don’t understand) which is the plugin you are using so I can’t give better help.
Consider that a lot depends on how plugin is coded: if it checks for some standard capabilities, e.g. you find in the code something like
if ( currrent_user_can('edit_posts') ) { // do stuff
it means that to make it work you have to assign the edit_posts cap to your role. But this is a problem: if you assign that capability the Postmenu in admin will be shown. Of course you can remove that using remove_menu_page, but as you said in question, this not prevent user access directly to that admin screens if they know how to do.
So what I suggest to you is:
- Create your custom role, start with assign to that only the
readcap - See docs for your plugin and/or look at the code to understand wich capabilities is required to make it works.
- Add these required capabilities to your role. If some standard caps are required, (and so some standard menu will be shown, remove them with
remove_menu_page - In that case, to prevent direct access, thanks to the fact you have created a custom role, you can prevent the access to admin screen hooking into
load-{$page}action and prevent access to your custom role. - In backend, got to
Settings -> Generaland make ‘Custom Role’ as New User Default Role
How To
1) Create Role
$subscriber = get_role( 'subscriber');
$plugin_caps = array('edit_posts', 'cap_required_by_event_plugin');
$all_caps = array_merge($subscriber->capabilities, $plugin_caps);
add_role('custom_role', 'Custom Role', $all_caps );
2) Understand the capability required by plugin
Look at plugin docs. Do a multiple file search into the plugins folder, searching for keywords like 'current_user_can', 'user_can', 'has_cap'. If you have problem try to ask on plugin support forum (if exists), ask here and google it. Developer is and hard work! 😉
3) Add required capabilities to your role
Easiest way is just add the required cap to the $plugin_caps array defined on point 1).
4) Prevent access to screen even if the capability is attached to custom role
Assuming you have to add the edit_posts cap to your role in order to make event plugin works.
First of all remove the menu.
add_action( 'admin_menu', 'custom_remove_menu_pages' );
function custom_remove_menu_pages() {
$user = wp_get_current_user();
if ( in_array('custom_role', $user->roles) ) {
remove_menu_page('edit-comments.php');
remove_menu_page('tools.php');
remove_menu_page('edit.php');
}
}
Then prevent access:
add_action( 'load-edit.php', 'custom_prevent_admin_access' );
add_action( 'load-tools.php', 'custom_prevent_admin_access' );
add_action( 'load-post.php', 'custom_prevent_admin_access' );
add_action( 'load-post-new.php', 'custom_prevent_admin_access' );
function custom_prevent_admin_access() {
$user = wp_get_current_user();
if ( in_array('custom_role', $user->roles) ) {
wp_die("Sorry, you can't stay here.");
exit();
}
}
5) Set ‘Custom Role’ as New User Default Role
That’s all, hope it helps.