Those who oversee a network of WordPress sites should consider securing user access to the block directory introduced in WordPress 5.5. The block directory aims to make it easy for end-users to drop content with ease.
Now it’s easier than ever to find the block you need. The new block directory is built right into the block editor, so you can install new block types to your site without ever leaving the editor.
From About WordPress 5.5
To the novice administrator, the block directory allows unbeknownst plugin installation. As such, you will likely want to disable the feature entirely or restrict access only to privileged administrators. By default, the block directory is available to all users who have capabilities to both install_plugins
and activate_plugins
.
Restricting Access
Fully Disable the Directory
If you would like to completely remove the block directory feature from WordPress, this snippet will do.
add_action( 'admin_init', function() {
remove_action( 'enqueue_block_editor_assets', 'wp_enqueue_editor_block_directory_assets' );
} );
Find this script and others at snippet.farm.
Disable Only in Production Environment
You may find it handy to have the block directory available while working in a development, staging, or test environment. WordPress 5.5 introduces the wp_get_environment_type()
function, allowing us to make a check and only disable the directory on the live production site.
add_action( 'admin_init', function() {
if ( wp_get_environment_type() != 'production' ) {
remove_action( 'enqueue_block_editor_assets', 'wp_enqueue_editor_block_directory_assets' );
}
} );
Availability of the block editor in staging and dev will depend on your host or plugin setting WP_ENVIRONMENT_TYPE
Restrict Directory Access to Specific User(s)
There may also be instances in which you want to allow block directory access to a specific subset of administrative users. The following snippet can be used to accomplish this.
add_action( 'admin_init', function() {
if ( ! in_array( wp_get_current_user()->user_login, array( '{{username}}' ) ) ) {
remove_action( 'enqueue_block_editor_assets', 'wp_enqueue_editor_block_directory_assets' );
}
} );
Be sure to replace {{username}}
with the specific user who should have access. Additional users can be specified by adding array elements. Users specified here will still need to have both install_plugins
and activate_plugins
capabilities.
Handling the Gutenberg Plugin
If you use the Gutenberg plugin on a site, you will also need to ensure the block directory assets are not being served up from within the plugin. You can do so by including the following line in any of the above snippets just below the other call to remove_action
remove_action( 'enqueue_block_editor_assets', 'gutenberg_enqueue_block_editor_assets_block_directory' );
Final Thoughts
While WordPress continues to make useful enhancements to the block editor, it is good that we recall this point of the WordPress philosophy:
Decisions, not Options.
If you’re looking to discover new blocks for your WordPress site or share those gems you’ve come across, feel free to join the Facebook group for WordPress Block Discovery. Stay well and code smart!