Konfyra Access Control
Multi-vendor plugins (WCFM, Dokan, MultiVendorX, WC Vendors) generally
redirect vendors to a frontend dashboard after login, and most offer a
capability toggle for „backend access.“ In practice, both of those are
login-flow conveniences, not hard access controls — a vendor who directly
visits /wp-admin/ after logging in can often still land on some part of
the WordPress backend. The same gap exists for membership and course
plugins (MemberPress, LearnDash, etc.) whose members are typically just
Subscribers under the hood.
This plugin adds the missing hard block:
- Every
/wp-admin/request is checked onadmin_init. - Administrators (and any role you explicitly exempt — e.g. Shop Manager) pass through untouched.
- Everyone else is redirected: configured „vendor“ roles go to your vendor dashboard URL; everyone else goes to a default path you configure — a MemberPress account page, a LearnDash dashboard, anything — or, if left blank, WooCommerce My Account (if active) or the homepage.
- AJAX (
admin-ajax.php), cron, and REST requests are always left alone, since marketplace and membership plugins alike route frontend actions through them internally. Blocking these would break the site, not just the backend. - The admin toolbar is optionally hidden on the frontend for restricted roles too, closing a smaller but related information leak (plugin names/versions, site health notices).
This isn’t tied to any one plugin’s ecosystem — the lockdown itself is plain WordPress role and capability logic. It was built with WCFM / Dokan / MultiVendorX / WC Vendors marketplaces in mind, but works identically for MemberPress members, LearnDash students, or any custom role your own code registers.
All of this is configured from Settings → Konfyra Access Control — the
role checkboxes are populated from the roles actually registered on your
site, so there’s no need to guess whether your plugin calls its vendor
role vendor, seller, wcfm_vendor, or dc_vendor.
A note on trademarks
This plugin is not affiliated with, endorsed by, or sponsored by Automattic, WooThemes/WooCommerce, weDevs (Dokan), WCFM, MultiVendorX, WC Vendors, or MemberPress. Their names are mentioned solely to describe compatibility.
Before enabling on a live site
Test on staging first, same as any access-control change. If you use a Shop Manager (or similar staff) role that needs order/product screens in wp-admin, make sure to check that role under „Roles allowed in wp-admin“ before saving — it’s exempt by default on first activation, but confirm it after your first save.
