The Ultimate Guide to Preventing Plugin Deactivation in WordPress (2024)

As a WordPress consultant, one of the most panicked calls you can get from a client is "Help! My site is down!"

Navi.

More often than not, the cause of their broken site is a deactivated plugin.

Maybe they were trying to troubleshoot an issue by randomly turning things off and on. Or perhaps they installed a new plugin without realizing it would conflict with existing tools and break key functionality.

Whatever the reason, deactivated plugins are a leading cause of WordPress site issues and unplanned downtime. And this can be incredibly costly for businesses.

Consider these statistics:

  • 39% of WordPress sites get hacked because of a vulnerable plugin or theme (WPScan)
  • The average cost of downtime for a small company is $427 per minute (ITIC)
  • 52% of users say they‘re less likely to engage with a brand after a bad mobile experience (Google)

If your client‘s WordPress site goes down, even briefly, it could mean lost sales, missed leads, and damage to their brand reputation. Not to mention the time and money you‘ll need to spend getting everything back up and running.

That‘s why it‘s crucial to have safeguards in place to prevent clients from accidentally deactivating important WordPress plugins. As a developer or consultant, your job is to build a stable foundation for their site and business.

Fortunately, WordPress offers several ways to lock down plugin access and protect your clients from themselves. In this guide, we‘ll dive into three methods you can use to keep plugins securely in place on client sites:

  1. Setting user roles and permissions
  2. Creating custom capabilities with a plugin
  3. Using code snippets to remove deactivation links

By the end of this post, you‘ll have a complete system for reducing plugin-related disasters and keeping your clients‘ sites running smoothly.

Method 1: Restrict Plugin Access with User Roles

The simplest way to prevent accidental plugin deactivation is to only give clients the level of access they need in WordPress. If they don‘t have permission to manage plugins, they can‘t accidentally break them.

WordPress has six default user roles, each with progressively more capabilities:

  1. Subscriber
  2. Contributor
  3. Author
  4. Editor
  5. Administrator
  6. Super Admin (multisite only)

Here‘s a quick breakdown of what each role can do:

RoleCapabilities
Subscriberread content only
Contributoredit/delete their own posts, but not publish
Authorpublish/edit/delete their own posts
Editoredit/publish/delete any posts, manage categories
Administratorfull control over site content, settings, users, and plugins
Super Admincontrol network of sites in a multisite setup

As you can see, only the Administrator role has the capability to activate, deactivate, and edit plugins under the default WordPress settings.

So if you want to keep your clients away from plugin options altogether, you can create an Editor account for them instead of making them an Administrator.

The Editor role is well-suited for most client content management needs. It allows them to create, edit, publish, and delete pages and posts, as well as moderate comments. But it stops short of letting them touch plugins, themes, and other site settings.

When you hand off a WordPress site to a client, consider setting up their account as an Editor by default. If they need to add more users, like writers or employees, you can make those Contributor or Author accounts.

Reserve the Administrator role only for yourself and other developers or managers who absolutely need it. This greatly reduces the risk of a client going in and fiddling with plugin settings.

Of course, some more tech-savvy clients may want or expect full admin access to their site. In those cases, you can create a separate Administrator account for them.

Just be sure to have a conversation about the importance of leaving plugins alone, unless they check with you first. Emphasize that deactivating the wrong plugin, even for a short time, can have serious consequences for their site‘s functionality and security.

It‘s also wise to keep your own admin-level account, so you can quickly fix any issues if something does get deactivated by mistake.

Pros and Cons of Using User Roles

Limiting plugin access with user roles is straightforward and uses core WordPress functionality. But it may not cover all situations. Here‘s a quick summary of the advantages and disadvantages of this method:

Advantages:

  • Easy to set up, no extra plugins needed
  • Uses default WordPress capabilities
  • Enforces content and setting separation
  • Suitable for most client content editing needs

Disadvantages:

  • Clients may want full admin control
  • Other plugins could override role capabilities
  • Doesn‘t allow for granular plugin control
  • Client could still deactivate via bulk actions

So while setting Editor roles for clients is a good first line of defense, you may want some extra layers of protection…

Method 2: Create Custom User Capabilities

Out of the box, WordPress roles offer limited flexibility. You can‘t pick and choose which parts of the admin menu users have access to, for instance.

That‘s where a plugin like Members comes in handy. With over 200,000 active installations, it‘s a popular and well-maintained tool for expanding your user role options.

Once you install and activate the plugin, head to Roles in the WordPress admin sidebar. You‘ll see a list of the default roles, along with the option to Add New Role.

Give your role a name, like "Client", and select the permissions you want it to have from the detailed list of capabilities:

Create a custom user role with the Members plugin

To remove all access to plugins, look for the Plugins section and uncheck the boxes for:

  • Activate plugins
  • Deactivate plugins
  • Delete plugins
  • Edit plugins
  • Install plugins
  • Update plugins

This will completely hide the Plugins menu from users with this role. They won‘t be able to browse, activate, deactivate, or modify any of your installed plugins.

You can follow a similar process for other parts of the WordPress admin you want to restrict, like Themes, Widgets, Menus, and more.

Take your time going through the list of capabilities and deciding what your clients should and shouldn‘t be able to do. When in doubt, err on the side of giving them fewer privileges. It will make for a cleaner admin interface and fewer chances for accidental changes.

When you‘re finished, click Add Role to save it. Then you can edit your client‘s user account and select your new role from the dropdown menu:

Assign a custom user role in WordPress

If you have multiple client sites, you can create variations of this custom role to fit different needs. For example, an advanced "Client Power User" role could have more capabilities than a basic "Client Viewer" one.

Using Members or a similar plugin allows for much finer-grained control over user permissions than the default roles provide. You can tailor the back-end experience to give clients all the tools they need and nothing more.

Pros and Cons of Custom User Capabilities

If the default WordPress roles aren‘t enough for your client site setup, then a plugin like Members is a great next step. Here‘s a rundown of the benefits and drawbacks:

Advantages:

  • Full control over exactly what users can do
  • Prevents accidental changes to key site areas
  • Better organization and focus in WP admin
  • Flexible for different client setups and needs
  • No custom code required

Disadvantages:

  • Requires installing another plugin
  • More complex to set up and maintain
  • Updates could override or conflict with role settings
  • Clients may be confused by missing menu items

Overall, creating a custom client role is an effective way to remove all plugin capabilities at once. But there may still be cases where you need even more specific controls…

Method 3: Disable Deactivations with Code Snippets

Sometimes you may want to give a client broader WordPress admin access, but protect certain mission-critical plugins from being turned off.

For example, you probably don‘t want clients disabling an SEO plugin like Yoast and losing all their custom meta information. Or deactivating WooCommerce and breaking their entire online store.

To prevent changes to individual plugins, you can use a simple PHP code snippet. This will selectively remove the deactivation link for plugins you specify.

Here‘s the code to add to your theme‘s functions.php file or a custom plugin:

add_filter( ‘plugin_action_links‘, ‘wpb_remove_deactivation_link‘, 10, 2 );

function wpb_remove_deactivation_link( $actions, $plugin_file ) {
    $plugins = array(
        ‘akismet/akismet.php‘,
        ‘wordpress-seo/wp-seo.php‘,
    );

    if( in_array( $plugin_file, $plugins ) ) {
        unset( $actions[‘deactivate‘] );
    }

    return $actions;
}

Make sure to replace the example plugin paths in the $plugins array with the actual plugins you want to protect. You can find the exact paths by looking at the plugin files via FTP or in the WordPress plugins directory.

Add as many plugin paths as you need to the array, each one surrounded by single quotes and comma-separated.

When you save and activate this snippet, it will hide the Deactivate link for those specific plugins in the WordPress admin:

Remove deactivate link on specific WordPress plugins

Now even if a client has an Administrator role, they won‘t be able to deactivate the plugins you‘ve specified. The link to do so simply won‘t be there.

It‘s worth noting that this method doesn‘t completely prevent deactivation. A savvy user could still go in via FTP and manually deactivate the plugin. But it adds an extra layer of protection against accidental one-click deactivations in the WordPress dashboard.

To take things even further, you could also remove the "Delete" link to prevent the plugin from being uninstalled entirely. Just add another unset line in the code snippet:

unset( $actions[‘delete‘] );

This will make it impossible for clients to delete the plugin files without accessing the site via FTP, which most won‘t have the knowledge or desire to do.

Pros and Cons of Deactivation Prevention Code

Using a code snippet to remove plugin deactivation capabilities is the most targeted way to keep essential plugins active. But it‘s also the most technical to implement.

Here are some key considerations:

Advantages:

  • Protects individual plugins
  • Allows access to rest of plugin settings
  • Works independently of user roles
  • Easy to add more plugins to the list
  • Deactivation link removal is clear in the UI

Disadvantages:

  • Requires editing theme or plugin files
  • Clients may need to request deactivations
  • Updates could overwrite custom snippets
  • Only prevents deactivation, not deletion
  • Lacks broader site access control

If there are only a few specific plugins you absolutely need to keep active at all times, this targeted code approach works well. But it should ideally be combined with other restrictions for a defence-in-depth strategy.

Crafting Your Plugin Protection Plan

With great power comes great responsibility, as they say. And that‘s certainly true when it comes to WordPress admin capabilities. The more access you give to clients, the greater the risk of something accidentally going wrong.

But by using the techniques outlined in this guide, you can find the right balance of client control and plugin stability.

Start with the principle of least privilege: only give clients the bare minimum permissions they need to manage their content. The default WordPress user roles are a good baseline, with Editors able to handle most content tasks.

For more granular control, use a plugin like Members to create custom roles with hand-picked capabilities. This lets you hide the Plugins menu and other potentially dangerous settings while still giving clients room to work.

If you need to secure individual plugins from deactivation, adding a bit of code to your theme or plugin can remove that option from the admin. This laser-targeted approach works well alongside broader role restrictions.

The exact mix of methods you choose will depend on the needs of each specific client and site. But by putting these safeguards in place from the start, you‘ll prevent many plugin-related emergencies before they happen.

Best Practices for Protecting Plugins

Beyond the technical steps to restrict deactivations, there are some general principles that can help keep your client sites running smoothly:

  • Have a thorough onboarding process to train clients on WordPress and lay out your plugin policies
  • Set expectations early about what clients should and shouldn‘t change on their own
  • Keep an up-to-date list of all the active plugins and their roles on each client site
  • Perform regular updates and compatibility checks to ensure plugins play nicely together
  • Make a full site backup anytime you change plugin settings or update roles
  • Provide an easy way for clients to request or suggest plugin changes when needed
  • Create an admin handbook or knowledge base where you document key plugins and settings
  • Consider a remote management tool like ManageWP to apply plugin changes safely across multiple sites

By taking a proactive, process-driven approach to plugin management, you can build better relationships with your clients and avoid unpleasant plugin surprises. A little planning and preparation can save hours of frantic troubleshooting down the line.

Empowering Clients Within Limits

At the end of the day, it‘s all about setting clients up for success while minimizing the risk of them breaking things by accident.

Even the most well-meaning client can wreak havoc with admin access and a curious streak. So it‘s up to you as the WordPress consultant to define safe boundaries and keep plugins under control.

With the strategies in this post, you now have a solid toolbox to prevent plugin deactivations and protect critical site functionality. But it‘s also important to educate clients and include them in the website management process.

When you hand off a site, give clients documentation on which plugins power key features and why they shouldn‘t be turned off. Make yourself available to answer questions and provide guidance as their site and business evolves.

By being transparent about your plugin decisions and giving clients selective admin capabilities, you can reduce friction and build more productive long-term relationships.

So go forth and implement these plugin protection measures with confidence, knowing that you‘re saving yourself and your clients from a world of potential trouble. Keep those plugins active and your client sites will thank you!

Did you like this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

How to Sell Videos Online with WordPress in 2023: The Complete Step-by-Step Guide
The Ultimate Guide to WordPress Navigation Menus (2023)
The Complete Guide to Adding a BMI Calculator to Your WordPress Site
Revealed: The Most Popular Types of Blogs to Start in 2024
The Complete Guide to Installing a WordPress Child Theme
How to Embed TikTok Videos in WordPress (2024 Ultimate Guide)
12+ Things You MUST DO Before Changing WordPress Themes
The Complete Guide to Automatic WordPress Backups with CodeGuard (2023)