Access Control in WordPress – Capability Manager Enhaned

cme dashboard

There is one reason I keep hearing over and over again from people who don’t use WordPress: there’s no access control. For large organizations, it’s essential to have close control over what users can and cannot do on our site. Drupal and Joomla both have powerful access control systems in the core.

With WordPress, if you choose the right plugin, it is still possible to have close control over what your users can and can not do. We’re going to show you how with the PublishPress Capabilities plugin.

PublishPress Capabilities

  • Go to Plugins > Add New in your WordPress admin area.
  • Search for and install the PublishPress Capabilities plugin.
  • Once the plugin is active, go to Capabilities in the left-hand menu.
  • Click this link and you’ll see the main PublishPress Capabilities Dashboard.

cme dashboard

User Roles

As a reminder, there are five default roles in WordPress: Administrator, Editor, Author, Contributor and Subscriber. All of these roles are very general and, by default, can not be customized.

User Roles form the basis of permissions in WordPress. In most cases, it’s best to put a user into a role and apply permissions to that role, rather than trying to apply permissions directly to the user.

In order to follow this tutorial, I would recommend clicking Users in the left-hand menu and creating a user in the Editor role. We’re going to use them to show how PublishPress Capabilities works.


Think back. A little earlier, when controlling what people could see in the Main Menu, we said “Not all of the user roles can see all of these links anyway. By default, only Administrator can see all of the links.”

Well, the reason that some user roles can’t see those links is that they don’t have the correct Capabilities. For example, these are the Capabilities that the Editor has:

editor permissiions

Everything on this page is editable. You have complete control over the permissions on your site.


PublishPress Capabilities

PublishPress Capabilities is a powerful way to control who can do what on your WordPress site.

A note of caution: access control is a naturally difficult and time-consuming task. It will take you a while to learn how to use PublishPress Capabilities. It took me several hours and several strong cups of coffee to understand how it works. Not everything is as intuitive as it could be. That was true of learning access control in Joomla and Drupal too.

However, give it time, practice and experiment with how it works. You’ll be rewarded. Thanks to PublishPress Capabilities, WordPress can have access control that is similar to Joomla and Drupal.


  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

0 0 votes
Blog Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Sean Cook

Does the plugin “WishList” membership need this or does it have it’s own access control? Also, would you use this to create your own subscription/membership based site?

David Esrati

Thanks for this- really helpful. Do you know of anyway to log access as well- to see who signed in, did what?

I’m also trying to find how this can work with BuddyPress- with many subdomain sites- as well as to try to lock out access for most from CiviCRM which installs like a plugin- but, so far, isn’t permissions aware.

Paul Noble

Curious – I have a client who wants to update a specific part of the site that is the plug in: WP Tables Reloaded.

It is located in the TOOLS section of the Admin.

Can I give them access ONLY to the tools section | WP Tables Reloaded?

Thank you in advance.


Hi. I really love this plugin. Does exactly what is says!

I am wondering if there is possibility to limit number of posts in an allowed category as well????


I am running WP3.5. And Graphene theme.

Your plugin would not work – Java error.

Was too bad as it looks amazing! I use Drupal and was hoping for some WP functionality to mimick Drupal.

Let me know and I can send a log if you you are interested.

Keep up the great work!


Dennis Parmelee


I am looking for a plug in that will restrict paid subscribers to viewing a portion of my site, defined by “category” for each product (Think educational content for each category).

I came across this plug in as a possible match. Subscribers get read access only permission.

Using wordpress 3.5 and small biz theme.

I would also like to inhibit copying/distribution/plagarizing, and realize that is another animal.

Any thoughts?

Thanks in advance

Roger S.

Excellent app. Does exactly what I needed it to do. I have support ticket plugin and I only want agents to see the tickets assigned to them. Great job!


Is there a way to restrict access to /wp-admin/ based on time ? So not allow users to login after work hours ?

Mohsin Anwaar

use a security plugin all in one wp security


Hi, I have the following problem: when I activate the plug in, I can only access as superadmin. If I log in as a user, I only have a blank screen and cannot access the (restricted) administration page.


We’re using WPML for translations. Does this Plugin offers the possibility to restrict access to foreign posts, pages, custom-post types, … to a user?
This means a user has only access to all the items per language and not per author.


I have just bought AAM and installed it using the licens code. Now my azure website is all blank…! Why and what can I do to get it back again?


Rebecca Redding

I just downloaded… my roles do not show up. I’m only able to edit Admin. I want to edit and/or add other roles but there is no option. Am I doing something wrong?

Would love your thoughts, please comment.x