Pay attention and do not use it improperly. The
is_admin() function is NOT to check is the current user is an administrator!
I saw this error many times and probably I did it myself years ago. The
is_admin() function provided by WordPress as core function is not to check if the current user is an administrator or has administration capabilities, but it just checks if the context is the administration side of WordPress.
In other words, if we are inside the “
/wp-admin” part of WordPress(yes, custom installations may change that path…).
So, checking is_admin() to protect special administrative functionalities is totally wrong and really really dangerous. A registered user with the lowest privileges calling an administrative page without any other protection will success.
To check the user capabilities, you must use the
current_user_can(...) function. For example
Actually “administrator” is not a capability but a role, that is a collection of capabilities: you can learn more about this here.
Note about roles and role checking
When you use the
current_user_can(...) with a role, it returns true ONLY is ALL the capabilities associated to that role are satisfied. So you may assume that if
current_user_can('administrator') returns true, even
current_user_can('editor') will return true.
This is not… true. Or better, in a clean WP installation is true but if a role editor is used the capabilities of an administrator could not contain all the capabilities given to editors and the
current_user_can('editor') can return false.