How To Restrict Plugin Access In A WordPress Multi-tenant SaaS

So, you’re building your SaaS on WordPress using all kinds of WordPress tools including a bunch of plugins.

For some SaaS projects you don’t need your users to see the plugins menu in wp-admin at all – in which case you can just easily hide the menu option completely (using something such as Menu Editor Pro or other white-label plugins).

But what if you want your users to see the list but to only see a limited number of plugins they can activate or deactivate?

In that case you need a custom plugin on your tenant sites – which, in almost all SaaS projects you’ll already have anyway.

To limit the plugins your user will see requires the use of a WordPress hook – the pre_current_active_plugins hook.

When you use that hook you’ll modify incoming list of plugins to remove the ones you do not want to be visible.

Assuming you’re using a PHP Class, the code would look something like this:

require_once ABSPATH . 'wp-admin/includes/plugin.php';

class WPCDCLOUD_Template_MU_Functions_Init {

	/**
	 * Constructor function.
	 */
	public function __construct() {

		/* Hide some plugins */
		add_filter( 'pre_current_active_plugins', array( $this, 'hide_plugins' ) );

	}

	/**
	 * Hide some plugins.
	 *
	 * Action Hook: pre_current_active_plugins
	 */
	public function hide_plugins() {

		// We're only going to hide it if the current user is NOT a particular user name.
		// We need the exclusion so that we're able to manage the hidden plugins somehow!
		$current_user = wp_get_current_user();
		if ( ! ( $current_user instanceof WP_User ) ) {
			return;
		}

		// Allow certain logins to view the whole list.
		$user_name = sanitize_text_field( $current_user->user_login );
		if ( 'wpcdcloudsuperadmin' === $user_name ) {
			return;
		}

		// Add your excluded plugins here.
		global $wp_list_table;
		$hidearr   = array(
			'wp-cloud-deploy/wpcd.php',
			'updraftplus/updraftplus.php',
			'meta-box/meta-box.php',
			'wpcdcloud-template-deployment-functions/wpcdcloud-template-deployment-functions.php',
			'white-label/white-label.php',
			'admin-menu-editor-pro/menu-editor.php',
			'ame-branding-add-on/ame-branding-add-on.php',
			'wp-toolbar-editor/load.php',
		);
		$myplugins = $wp_list_table->items;
		foreach ( $myplugins as $key => $val ) {
			if ( in_array( $key, $hidearr, true ) ) {
				unset( $wp_list_table->items[ $key ] );
			}

			// If it starts with 'wpcd-', remove it.
			// This section shows how to exclude an entire class of plugins based on what the name of the plugin starts with.
			if ( substr( $key, 0, 5 ) === 'wpcd-' ) {
				unset( $wp_list_table->items[ $key ] );
			}
		}

	}

}

The code shown above is a little more thorough than just a basic example. It includes snippets that also does the following:

• Allows certain logins to see the full plugin list
• Allows you to exclude entire classes of plugins without having to list them out in an array.

You’ll also notice that the plugins are listed in the format folder/main-plugin-file.php.

Finally, you’ll notice that this is an action hook that is modifying a WordPress GLOBAL variable – it directly modifies the $wp_list_table global variable instead of returning a variable (like you would when using a filter hook.)

Wrapup

For something like this we recommend that you actually create a new plugin file and place the plugin in your mu-plugins folder. This way the user cannot deactivate it – if they’re allowed to do so it would bypass the point of the function entirely.

With this functionality you could remove most of the plugins from the plugin list and only let your users see a small list of approved plugins that they could activate/deactivate.

In a more sophisticated environment you would modify the plugin list based on the plan they have purchased.