Subscribers will see the WP Events and News widget, but they shouldn’t be seeing the other stuff. Somewhere the theme and/or plugins are adding widgets in a way that’s allowing all user levels to see them. You can either hit up the support teams for the themes and plugins that are adding them, or you … Read more
try increasing WordPress Memory Limit to 256M The most common cause of this error is lack of memory available for WordPress to use. To fix this, you need to increase the amount of memory PHP can use on your server. You can do this by adding the following code to your wp-config.php file. define( ‘WP_MEMORY_LIMIT’, … Read more
Looking at current_user_can()‘s documentation, I see that it uses WP_User::has_cap(). So if your code (or the WP core code) uses something like current_user_can( ‘edit_post’, $post->ID ) to determine if the current user can edit the current post, you can use the user_has_cap filter (called in WP_User::has_cap()): add_filter( ‘user_has_cap’, ‘wpse360937_allow_manager’, 10, 4 ); function wpse360937_allow_manager( $allcaps, … Read more
From quick look at code the likely permissions check for that is edit_comment capability in edit_comment() function. Your options to remove that capability roughly are: customize the role with plugin, for example Members customize role with code, probably using remove cap functionality filter thiungs around map_meta_cap or user_has_cap if you need to achieve more elaborate … Read more
In your case best solution is create your own custm role and assign them only the capabilities you users need. Regarding wordpress, for what I can understand from your question the only cabability you should give them is read. In this way they will see only the profile. Problems start with the plugin, you don’t … Read more
It sounds like you want to add all the admin capabilities to a role except a few key capabilities that you have in mind. What you could do is get the administrator role and do a key diff on capabilities you do not want. We have to use array_diff_key() because capabilities are keyed by name: … Read more
I just exported the live database, replaced all occurences of the live siteurl with the local one, and imported on my dev machine. Finding/replacing with a text editor breaks serialized data; you must change values with MySQL queries in phpmyadmin: UPDATE wp_options SET option_value = replace(option_value, ‘http://www.olddomain.com/’, ‘http://www.newdomain.com/’) WHERE option_name=”home” OR option_name=”siteurl”; UPDATE wp_posts SET … Read more
The admin_menu action will hide the ACF menu, in this example for not-admins. And admin_head will block the access if the URL is accessed directly. E.g.: http://example.com/wp-admin/edit.php?post_type=acf and http://example.com/wp-admin/edit.php?post_type=acf&page=acf-settings add_action( ‘admin_menu’, ‘wpse_59032_remove_acf_menu’, 9999 ); add_action( ‘admin_head-edit.php’, ‘wpse_59032_block_acf_screens’ ); add_action( ‘admin_head-custom-fields_page_acf-settings’, ‘wpse_59032_block_acf_screens’ ); function wpse_59032_remove_acf_menu() { /* if not our allowed users, hide menu */ if … Read more
Do not set header in a template file. Those are part of the HTTP request itself. About your problem: Add a template (whatever file you need – see “Template Hierarchy”). On top of it you include the default stuff like get_header(); and so on. For the restricted part, you use the following: if ( current_user_can( … Read more
By default, all files added by the Apache itself will be owned by the server’s user, in your case www-data. But since your users use FTP to deploy, those files are owned by them, and it makes the Apache scream for your attention. Changing the ownership of wp-content folder to www-data isn’t insecure at all, … Read more