Easiest way to hide (some) WordPress plugins from users?

Question

I'm using WordPress to make my users make their own website/blog. I have a set up that I'm cloning out to all the users with some special user-roles and standard plugins.

However, some of the plugins are not supposed to be changed or inactivated by the users.

Is their any way to select which plugins different user roles are allowed to use? Or a easy way to hide some plugins in the plugins-page but still have them working as normal?

Maybe there's some plugin that helps me to do this?

Answer 1

I've done a new version based on @spuriousdata Answer. This one uses the plugin slugs (file name minus the extension) to build the list of restrictions. This way is easier as we can unset the array using the first level $keys.

Configuration instructions in the code itself.

<?php
/**
 * Plugin Name: Limit Plugins by User
 * Plugin URI: http://stackoverflow.com/q/14340131/1287812
 * Description: Show selected plugins for specific users. 
 * Based on the code by spuriousdata, http://stackoverflow.com/a/3713985.
 * Author: brasofilo
 * Author URI: http://wordpress.stackexchange.com/users/12615/brasofilo
 * Version: 1.0
 * License: GPLv2 or later
 */

add_filter( 'all_plugins', 'plugin_permissions_so_3707134' );

/**
 * Filter the list of plugins according to user_login
 *
 * Usage: configure the variable $plugin_credentials, which holds a list of users and their plugins.
 * To give full access, put a simple string "ALL"
 * To grant only for some plugins, create an array with the Plugin Slug, 
 *    which is the file name without extension (akismet.php, hello.php)
 *
 * @return array List of plugins
 */
function plugin_permissions_so_3707134( $plugins )
{
    // Config
    $plugin_credentials = array(
        'admin' => "ALL",
        'other-admin' => array(
            'akismet',
        ),
        'another-admin' => array(
            'akismet',
            'hello',
        ),
    );

    // Current user
    global $current_user;
    $username = $current_user->user_login;

    // Super admin, return everything
    if ( "ALL" == $plugin_credentials[ $username ] )
        return $plugins;

    // Filter the plugins of the user
    foreach ( $plugins as $key => $value ) 
    { 
        // Get the file name minus extension
        $plugin_slug = basename( $key, '.php' );

        // If not in the list of allowed plugins, remove from array
        if( !in_array( $plugin_slug, $plugin_credentials[ $username ] ) )
            unset( $plugins[ $key ] );
    }

    return $plugins;
}

Answer 2

You should stratify the users. Make sure that the Admin user(s) are trusted and know not to fiddle with what they don't understand. The others should be limited to their roles. Authors, editors, etc. For example, if they're just a part of the site to write articles, then they don't need to see the rest of it. Make them an author and be done with it.

This is part of client education. If its a smaller client with less stratified roles, then make them two accounts. Tell them "this is the account you administer the site with, you'll be using this rarely. And this is the account that you'll use most of the time to write and edit. You can do all of your daily tasks here and will most likely never need the administrator account". You won't always have luck with this approach, but its less time and effort invested in crap you shouldn't be wasting time on.

Answer 3

You could write a plugin that uses the "all_plugins" filter hook to remove from the array plugins that you don't want displaying for a certain user. Something like this:

$plugin_credentials = array(
    'bob' => array(
            'Hello Dolly' => 1
    ),
    'jim' => array(
            'Akismet' => 1,
            'Hello Dolly' => 1,
    ),
    'admin' => "**ALL**"
);

function plugin_permissions($plugins)
{
        global $current_user, $plugin_credentials;

        $username = $current_user->user_login;

        if ($plugin_credentials[$username] == "**ALL**")
                return $plugins;

        $viewable_plugins = array();

        foreach ($plugins as $plugin) {
                if (isset($plugin_credentials[$username]) &&
                        isset($plugin_credentials[$username][$plugin['Name']]) &&
                        $plugin_credentials[$username][$plugin['Name']] == 1) {

                        array_push($viewable_plugins, $plugin);
                }
        }
        return $viewable_plugins;
}

add_filter('all_plugins', 'plugin_permissions');

Managing the user permissions in the plugin itself is not ideal, but it is probably easiest. You can expand on that idea to create admin pages for managing the users and their viewable plugins in a database table somewhere.

Answer 4

Each plugin will usually specify their own role/permission, which you can see if you look at their add_submenu_page() or such function calls. You can create new roles for those plugins and replace the one specified by the author, but it will also break the changes if you upgrade the plugins.