Blog

Control WordPress Access Through User Roles

Control WordPress Access Through User Roles

Every WordPress website is packaged with the ability to control site access through the use of user roles. Most WordPress site owners fail to take full advantage of the power of user roles. Below are a few tips and suggestions for getting the most out of this surprisingly powerful feature.

WordPress User Role Basics

In essence a WordPress user role is a collection of allowed actions (officially referred to as capabilities) that the user role can perform in the WordPress environment. Example capabilities include installing plugins, creating menu items, publishing posts and pages, adding new users, and editing posts created by other users. WordPress comes prepackaged with 5 default user roles. The full WordPress documentation goes into great detail, but for now here is a summary:

  • Administrator: Users with this role can do everything that can be done on the site, such as installing plugins, updating WordPress to the latest version, creating new users, etc. It is often tempting to give new colleagues the Administrator user role out of convenience, but that presents the possibility of doing great damage to the site if they don’t fully understand what they are doing. It is sound security to only grant the bare minimum of privileges required for their position. Another thing to consider is that Administrators have complete access to the WordPress admin menu, which can be quite daunting on sites with a large number of plugins. More narrowly-defined user roles will only see the WordPress admin menu items they specifically have access to.
  • Editor: The second most powerful user role, Editors can edit and publish posts made by other users. This is a useful role if a site routinely posts articles by numerous authors and is trying to maintain a unified “voice”.
  • Author: Authors have complete control over posts that they themselves create, but have no access whatsoever to posts created by other users.
  • Contributor: A Contributor can edit posts made by others, but unlike editors they cannot publish any posts.
  • Subscriber: As the least powerful default role, Subscribers don’t have access to anything in the WordPress admin other than their own profile. This is the default role that most custom roles are built from.

Creating and Managing Custom WordPress User Roles

Unless your WordPress site is a simple blog, the aforementioned user roles are unlikely to be satisfactory. Some WordPress plugins automatically create new user roles (for example WooCommerce comes packaged with Shop Manager and Customer user roles) but most do not. To take a common example, a WordPress site may have a plugin to create events to populate an events calendar. A staff member will create, update, and publish those events but does not need to access other areas of the site. If the events plugin did not automatically create new user roles and the events have their own post type, then the user who will manage the events will have to be given the Administrator role, which is highly undesirable. What is to be done?

Custom user roles can be created to handle this very issue. One such way to do this is through a plugin such as User Role Editor. This plugin can create custom user roles with a specific set of capabilities. It is not the easiest plugin to use and can be a bit confusing. However, it can solve the specific event manager problem described above perfectly. It can also be used to modify existing user roles. For example, the Editor role can be expanded to edit user profiles. The flexibility of the user roles can be enhanced significantly.

WordPress User Roles to Control Page Access

We have discussed WordPress admin features exclusively thus far. Front end content can also be controlled through clever use if user roles. For example, you may want to have a page set up to be only accessible to users who have joined a site through a specific form in order to increase site engagement. This can be accomplished through a couple of other useful plugins.

Access to pages can be controlled via plugins such as Restrict User Access. This plugin allows pages and posts to be accessible to only users with specific user roles. It is rather flexible and easy to use. Plugins such as Paid Memberships Pro can do something similar but will add a great deal of complexity.

Administrators can easily create users and assign them to specific roles, but what if you just want to have users create themselves with a specific role? This can be accomplished through the WP Everest User Registration Form plugin. It allows for the creation of multiple registration forms, each with their own user role and login redirect page. This is relatively quick and simple to set up. There are similar plugins available to accomplish the same goals.

User Roles are often overlooked by WordPress site owners. Without a great deal of effort a WordPress site can be enhanced significantly by taking full advantage of this great feature.

Share this post!

Leave a reply