When you build websites for clients, accidentally deactivated plugins can cause serious problems.
Deactivating an essential plugin can break important features or even make a site unusable. This is why controlling who can deactivate plugins is so important.
I tested these methods for user permission conflicts, menu visibility, and hook execution reliability to make sure your site stays secure:
- Use default WordPress roles to limit access
- Create custom roles with specific permissions
- Add custom code to protect individual plugins
In this guide, we’ll show you exactly how to stop clients from deactivating WordPress plugins. These steps are straightforward and work on any WordPress site.
TL;DR: You can prevent clients from deactivating plugins by using the default WordPress Editor role, creating custom roles with the Members plugin, or using WPCode, the best code snippets plugin for WordPress. These methods help protect important features like backups and security from accidental deactivation.
Why Prevent Clients from Deactivating WordPress Plugins?
When you create websites for clients, you probably install essential plugins on every site. These might include security plugins like Wordfence or Sucuri that protect against hackers and malicious code.
You might use plugins like Duplicator, the best WordPress backup and migration plugin used by over 1 million websites, or UpdraftPlus to automate WordPress maintenance tasks such as creating regular backups.
If a client accidentally deactivates one of these plugins, then it could make their website vulnerable to attack or affect its functionality. I’ve seen sites go down because a client deactivated a caching plugin, causing server overload during high traffic.
In the worst cases, disabling security or backup plugins right before a hack or server crash can result in permanent data loss. Even though this isn’t your fault, it creates a bad client experience that could damage your reputation.
Let’s look at how you can prevent clients from accidentally deactivating plugins in WordPress.
Simply use the quick links below to jump straight to the method you want to use:
Method 1: Using the Default WordPress User Roles (No Plugin Required)
Only WordPress Administrators can deactivate plugins by default. This means you can control plugin access by managing who gets admin privileges on the site.
WordPress includes a built-in user management system where each user has different capabilities based on their assigned role.
When you install WordPress, it creates these user roles automatically:
- Administrator (full site control including plugin management)
- Editor (can publish and manage all content but cannot manage plugins)
- Author (can publish and manage their own posts only)
- Contributor (can write and manage their own posts but cannot publish)
- Subscriber (can only manage their profile)
By default, only the Administrator role has permission to manage plugins, which includes activating and deactivating them.
I recommend creating a single admin account for your clients so they have a way to manage their sites. You can then create non-admin accounts for anyone else who needs access but doesn’t require admin privileges.
Without admin rights, the majority of your clients won’t be able to deactivate plugins. You can use any role for the non-administrator accounts.
However, I typically assign the Editor role to my clients because it gives them the ability to create, edit, publish, and delete content, including content created by other people. This can improve the editorial workflow and help clients manage their new site effectively.
It’s also a good idea to give the Admin account to someone who has experience with WordPress and understands how to manage a website safely.
To create an account for one or more clients, go to Users » Add New in the WordPress dashboard. You can then type in information about the person, including their name and email address.
With that done, open the Role dropdown and choose the role you want to assign this user, such as Admin or Editor.
When you are happy with the information you’ve entered, click on ‘Add New User.’
To create more accounts, simply follow the same process described above. For more on this topic, please see our guide on how to add new users to your WordPress blog.
Method 2: Using the Members Plugin (Create a Custom Client Role)
Sometimes, you may need to stop clients from deactivating plugins without restricting their access to other areas of the WordPress dashboard.
With that being said, the built-in user roles may not be right for your website. For example, Editors can’t deactivate plugins, but they also can’t add new users or install WordPress themes, which may be a problem for your clients.
If the default user roles aren’t quite right for your client, then you can create a custom role that has the exact permissions they need. You can even create different roles for different teams or individual employees.
The easiest way to create custom roles is by using the free Members plugin. With over 300,000 active installations, Members allows you to create new roles and then add and remove capabilities to those user roles, including the ability to activate and deactivate WordPress plugins.
Removing this permission hides the Plugins setting from the left-hand menu, as you can see in the following image.
The first thing you need to do is install and activate the Members plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.
Upon activation, go to Members » Add New Role.
In the ‘Enter role name’ field, type the name you want to use. This will be visible to anyone with access to the WordPress dashboard.
After that, it’s time to grant and deny permissions.
The left column shows all the different types of content, such as reusable blocks and WooCommerce products. Simply click on a tab, and you’ll see all the permissions for that content type.
You can then go ahead and check the ‘Grant’ or ‘Deny’ box for each permission. For more detailed instructions, please see our guide on how to add or remove user capabilities.
To stop clients from deactivating plugins, click on the ‘Plugins’ tab on the left.
On this screen, check the ‘Deny’ box on the line that says ‘Activate Plugins.’ The “Activate Plugins” capability is the WordPress core permission that controls both activating and deactivating plugins. By denying this single capability, you prevent both actions.
I tested this configuration across multiple client sites and confirmed that users with this permission denied cannot access the Plugins menu or modify any plugin status.
When you are happy with how the user role is set up, click on ‘Add Role.’
You can now assign this role to any user, following the same process described in Method 1.
Method 3: Using Custom PHP (Prevent Clients From Deactivating Specific Plugins)
If you want to stop clients from deactivating all plugins, then you can use one of the methods mentioned above.
However, sometimes, you may want to protect specific essential plugins while still allowing clients to deactivate and delete non-essential software.
The best way to protect specific plugins is by adding custom code in WordPress. This allows you to remove the ‘Deactivate’ link for specific plugins.
This is an advanced method that requires editing PHP code and understanding file paths. A syntax error in your code could break your site, which is why I recommend using WPCode for safer implementation instead of editing theme files directly.
Important Limitation: This code removes the visible ‘Deactivate’ link but does not provide complete protection. Users can still deactivate protected plugins through the Bulk Actions dropdown menu, or using advanced tools like FTP or phpMyAdmin. For complete protection where users cannot deactivate plugins by any method, use Method 1 or Method 2 to remove the activate_plugins capability entirely. However, hiding the deactivate link still makes it much more difficult for clients to accidentally deactivate an essential plugin.
To start, you’ll need to know the plugin’s file name and where it lives on your server. Typically, these files use the plugin’s name followed by .php and live inside a folder named after the plugin. For example, the WooCommerce file is named woocommerce.php and lives inside a woocommerce folder.
However, it’s still worth checking, especially if the plugin has a long, complicated name or multiple words.
For example, if you are using the SearchWP plugin to improve your site’s search results, then its file is named `searchwp.php` and it lives in the `searchwp` folder.
You can check the file name and location by connecting to the site’s server using an FTP client such as FileZilla, or you can use the file manager in your WordPress hosting control panel.
If this is your first time using FTP, then you can see our complete guide on how to connect to your site using FTP.
After that, go to /wp-content/plugins/. Here, you’ll see all the different plugins on your site.
Simply find the plugin that you want to protect and open its folder.
After that, find the .php file.
Now, make a note of the folder name and .php file, as you’ll be using this information in your code. Simply repeat this process for every plugin you want to protect.
With that done, it’s time to add a code snippet to your site. Often, you’ll find guides asking you to add code to the site’s functions.php file.
However, this isn’t recommended, as simple errors can cause countless common WordPress errors. You’ll also lose the custom code when you update your WordPress theme.
That’s where WPCode comes in.
It is the best code snippets plugin used by over 2 million WordPress websites. WPCode makes it easy to add custom CSS, HTML, PHP, and more without the risks of editing theme files directly. For details, see our complete WPCode review.
The first thing you need to do is install and activate the free WPCode plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.
Upon activation, head over to Code Snippets » Add Snippet.
Here, you’ll see all the pre-made snippets you can add to your site. These include a snippet that allows you to completely disable comments, upload file types that WordPress doesn’t usually support, disable attachment pages, and much more.
Instead, hover your mouse over ‘Add Your Custom Code’ and then select ‘Use snippet’ when it appears.
To start, type in a title for the custom code snippet. This can be anything that helps you identify the snippet in the WordPress dashboard.
After that, open the ‘Code Type’ dropdown and select ‘PHP Snippet.’
Now, you’re ready to add the custom PHP.
The exact code will vary depending on the plugins you’re protecting, but here’s a template you can use. This tutorial was tested with WordPress 6.7 and WPCode 2.1.16 as of February 2026:
add_filter( 'plugin_action_links', 'disable_plugin_deactivation', 10, 4 );
function disable_plugin_deactivation( $actions, $plugin_file, $plugin_data, $context ) {
// Check if the 'deactivate' action exists in the actions array
// and if the current plugin matches our protected plugins list
if ( array_key_exists( 'deactivate', $actions ) && in_array( $plugin_file, array(
'wpforms/wpforms.php', // WPForms contact form plugin
'woocommerce/woocommerce.php' // WooCommerce eCommerce plugin
)))
unset( $actions['deactivate'] ); // Remove the deactivate link
return $actions;
}
This snippet disables deactivation for WPForms and WooCommerce. To protect other plugins, simply replace ‘wpforms/wpforms.php’ and ‘woocommerce/woocommerce.php’ with the folders and file names you got in the previous step.
To disable deactivation for more plugins, simply add them to the array. For example:
'wpforms/wpforms.php', // WPForms contact form plugin
'woocommerce/woocommerce.php', // WooCommerce eCommerce plugin
'service-box/service-box.php' // Service Box plugin
)))
After that, scroll to the ‘Insertion’ section. WPCode can add your code to different locations, such as after every post, frontend only, or admin only.
You only need to use the PHP code in the WordPress admin area, so click on ‘Auto Insert’ if it hasn’t already been selected. Then, open the ‘Location’ dropdown menu and choose ‘Admin only.’
After that, you’re ready to scroll to the top of the screen and click on the ‘Inactive’ toggle so it changes to ‘Active.’
Finally, click on ‘Save Snippet’ to make the PHP snippet live.
Now, if you select ‘Plugins’ from the left-hand menu, you’ll see the ‘Deactivate’ link has been removed for those plugins.
If you need to restore the ‘deactivate’ links at any point, then you can disable the code snippet. Simply go to Code Snippets » All Snippets and click the switch next to your snippet to turn it from blue (enabled) to grey (disabled).
You can now deactivate these plugins by heading over to the Plugins menu.
You can also deactivate protected plugins using phpMyAdmin or an FTP client. This may be a good solution if you want to remove a specific plugin but don’t want to completely disable the code snippet and leave all your protected plugins vulnerable.
To learn more, please see our guide on how to deactivate all plugins when not able to access WP-Admin.
Frequently Asked Questions
Can Clients Still Deactivate Plugins Using FTP or phpMyAdmin?
Yes, all three methods in this tutorial prevent plugin deactivation through the WordPress admin dashboard only. Users with FTP or database access can still deactivate plugins by renaming the plugin folder via FTP or changing plugin status in the database.
For complete security, you should also limit FTP and database access to trusted administrators only. Most hosting providers allow you to create separate FTP accounts with restricted permissions.
Will These Methods Work on WordPress Multisite?
Yes, but with important differences. On WordPress multisite, only Super Admins can manage plugins across the entire network by default.
Individual site Administrators cannot activate or deactivate plugins unless the Super Admin grants them the “Manage Plugins” capability. Methods 2 and 3 in this guide work on multisite for controlling Super Admin access or protecting specific plugins from all administrators.
What Happens If I Accidentally Lock Myself Out?
If you remove your own plugin management capabilities by mistake, you can restore access using FTP or your hosting control panel’s file manager. Connect to your site, navigate to /wp-content/plugins/members/, and rename the Members plugin folder to something like members-disabled.
This deactivates the Members plugin and restores default WordPress permissions. For Method 3 using WPCode, rename the WPCode plugin folder to temporarily disable your custom code.
Which Method Is Best for Beginners?
We recommend Method 1 (using default WordPress roles) for most beginners because it requires no plugins or code. Simply assign your clients the Editor role, and they won’t be able to deactivate any plugins.
If clients need more advanced capabilities like adding users or installing themes while still protecting plugins, then use Method 2 with the Members plugin. Method 3 is best reserved for experienced users who need granular control over specific plugins.
Bonus Resources:
The following are some hand-picked additional resources that you may find useful while managing client sites.
- How to White Label Your WordPress Admin Dashboard
- How to Create an SEO Report for Your WordPress Site
- How to Fix Broken CSS in the WordPress Admin Dashboard
- How to Create a Client Dashboard in WordPress
We hope this article helped you learn how to prevent clients from deactivating WordPress plugins. You may also want to see our ultimate guide on how to hide unnecessary menu items from WordPress admin and the best mobile apps to manage your WordPress site.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Jiří Vaněk
This is a very good idea. Many times I’ve created a website for someone that worked perfectly, only to have the customer later report issues because they disabled plugins they thought were unnecessary. For these situations, where as an admin I need technical management to be solely my responsibility, this is a great solution, aside from the option of user roles. Great article, and thanks for it.
THANKGOD JONATHAN
This is great, but I think for me it’s not necessary to do that. Your clients should have absolute control over their websites except where they tell you to keep on maintaining it for them.
What you should do instead is to tell them exerctly the plugins that are very important for the primary function of the website and once that should not be deleted. And also tell them what they should be careful about and advice them to hire an expert to do the technical aspects for them and also keep keep regular backups.
Jiří Vaněk
On one hand, I understand, but on the other, it’s a double-edged sword. I handed over websites to customers with complete freedom, but sometimes situations arose where a customer made changes to the site, such as uninstalling a plugin, and then returned the site to you saying it didn’t work. You had extra work, and often no one paid you for it. So, as a safeguard, I absolutely understand this, and I think it’s important to differentiate between customers who are technically proficient and those who are not. It’s also okay to be upfront with them about why it’s set up this way. Many will understand and will actually be glad that they can’t “break” it so easily.
Ibrahim Rumani
But with this method the plugins can still be disabled via bulk options.
WPBeginner Support
The disable option should be removed from the dropdown of the bulk action options
Admin
Bart Kuijper
The article and code are both useful and provide some nice insights. However it’s important to note that using the example code, administrators can still easily disable plugins by simply ticking the box in front of one or more plugins and then selecting ‘Deactivate’ from the ‘Bulk Actions’ drop-down list.
WPBeginner Support
Thank you for letting us know, we’ll be sure to look into updating the code when we’re able.
Admin