Creating a WordPress plugin to ban users from an install is a simple process that involves WordPress filters, actions, user columns management, and more. In this tutorial, we will cover the basics of this plugin and how to create it.
Step 1: Create The Plugin
To create the plugin, you need to create a new folder in “wp-content/plugins” called “ban-users.” In this folder, create a new file called “ban-users.php” and paste the following code:
/*
Plugin Name: Ban Users
Plugin URI: http://www.remicorson.com
Description: Allows you to ban users
Author: Remi Corson
Version: 1.0
Author URI: http://www.remicorson.com
*/
Step 2: Add A Checkbox On Users’ Profile Page
The first step is to add a checkbox on each user’s profile page. When you check this checkbox, it will store a user meta option that indicates that the user is not allowed to log in to your website. Here is the code:
function rc_admin_init(){
// Edit user profile
add_action( ‘edit_user_profile’, ‘rc_edit_user_profile’ );
add_action( ‘edit_user_profile_update’, ‘rc_edit_user_profile_update’ );
}
add_action(‘admin_init’, ‘rc_admin_init’ );
This code creates a call to a function that adds a checkbox to the user’s profile page.
function rc_edit_user_profile() {
if ( !current_user_can( ‘edit_users’ ) ) {
return;
}
global $user_id;
// User cannot disable itself
$current_user = wp_get_current_user();
$current_user_id = $current_user->ID;
if ( $current_user_id == $user_id ) {
return;
}
// Check if enabled
$checked = checked( get_user_option( ‘rc_banned’, $user_id, false ) );
// Display checkbox
echo ‘
Ban User |
Ban this user |
---|
‘;
}
We now need to have the function that will save into the database the value of the checkbox:
function rc_edit_user_profile_update() {
if ( !current_user_can( ‘edit_users’ ) ) {
return;
}
global $user_id;
// User cannot disable itself
$current_user = wp_get_current_user();
$current_user_id = $current_user->ID;
if ( $current_user_id == $user_id ) {
return;
}
// Lock
if( isset( $_POST[‘rc_ban’] ) && $_POST[‘rc_ban’] = ‘on’ ) {
rc_ban_user( $user_id );
} else { // Unlock
rc_unban_user( $user_id );
}
}
Step 3: Ban Users
It’s now time to create the rc_ban_users() function. In this function, we need to check if a value is already stored, and if not, we need to store the value. That’s the reason why I call a function that I’ll describe later: rc_is_user_banned():
function rc_ban_user( $user_id ) {
$old_status = rc_is_user_banned( $user_id );
// Update status
if ( !$old_status ) {
update_user_option( $user_id, ‘rc_banned’, true, false );
}
}
Step 4: Un-ban Users
The following function is the opposite of the one we just created: we have to give the ability to “un-ban” users:
function rc_unban_user( $user_id ) {
$old_status = rc_is_user_banned( $user_id );
// Update status
if ( $old_status ) {
update_user_option( $user_id, ‘rc_banned’, false, false );
}
}
Step 5: Is User Banned?
We saw in rc_ban_users() and rc_unban_users() that we use a function called rc_is_user_banned() to check if a user is banned or not. Let’s create it:
function rc_is_user_banned( $user_id ) {
return get_user_option( ‘rc_banned’, $user_id, false );
}
At this time, we have a new checkbox on the user edition page that should look like that:
The last step is to hook a function to the login form to avoid banned users from logging in.
Step 5: Avoid Banned Users To Login
To do so, we need to use a WordPress default filter called “wp_authenticate_user”. To this filter, we’ll hook a function called “rc_authenticate_user()”. This function will use the WP_Error class.
function rc_authenticate_user( $user ) {
if ( is_wp_error( $user ) ) {
return $user;
}
// Return error if user account is banned
$banned = get_user_option( ‘rc_banned’, $user->ID, false );
if ( $banned ) {
return new WP_Error( ‘rc_banned’, __(‘ERROR: This user account is disabled.’, ‘rc’) );
}
return $user;
}
Now, we just need to add the filter:
add_filter( ‘wp_authenticate_user’, ‘rc_authenticate_user’, 1 );
We created a plugin that adds a checkbox to the user profile edition page. We used a second function to store the value of the checkbox, and we create a function to ban a WordPress user and another one to unlock a user. We also created a small function to check if a user is banned or not. And we finally hooked a function to the “wp_authenticate_user” filter using the WP_Error WordPress default class. You can download the full code on Github.