Starting from version 1.8.1, it is possible to restrict access to NinjaFirewall (WP+/WP Edition) menu and settings.
Note: Restrictions apply to single sites only, not to multisites where only the superadmin can manage NinjaFirewall.
Roles
By default, a user with administrator roles is allowed to access NinjaFirewall. But if you need to create one or more administrator accounts, for instance, for your developers, you may not want them to be able to mess with the firewall settings.
For that purpose, we introduced in v1.8.1 a new constant: NFW_ALLOWED_ADMIN. It can be used to grant access to NinjaFirewall only to one or more specific administrators depending on their username.
The constant has to be defined either in your wp-config.php script, or in your .htninja user configuration file.
To grant access to the firewall only to administrator ‘alice’:
define('NFW_ALLOWED_ADMIN', 'alice');
Multiple values must be coma-separated, e.g., to allow administrators ‘alice’ and ‘joe’:
define('NFW_ALLOWED_ADMIN', 'alice,joe');
Any administrator who is not in that list will not be able to access the firewall settings.
Capabilities
Until v1.7, the manage_options capability was required to access NinjaFirewall settings. This is the default behaviour for almost all WordPress plugins. However, if you need to give this capability to a non-administrator user that you trust, this person will be allowed to access the firewall too.
Therefore, we decided that starting from v1.8.1, the following two admin capabilities will be required to access NinjaFirewall: manage_options + unfiltered_html.
Plugin Editor
In addition to the above restrictions, it is no longer possible to edit NinjaFirewall scripts from the WordPress built-in plugin editor menu (Plugins > Editor). Any attempt to modify a script from the firewall folder and to click on the “Update File” button will be blocked.