The Ultimate Guide to User Control in WordPress

One of the questions we get often from WordPress students: “How do I control what users can and cannot do on my site?”

There are lots of possible answers to this, and we’re going to give you an introduction to many of them in this tutorial.

Option #1: Published / Draft / Pending Review

By default, WordPress allows you to have a basic approval process for posts.

• At the top right of the editing page is the Status & Visibilty panel. Above this panel you will see Save: Draft. 
• Everything you write is automatically a Draft and will remain so until you publish it. Drafts are not visible to anyone but your site’s Administrators and Publishers.

• If you choose Pending Review, this flags it for review so you can sort for pending articles and posts when you are getting ready to publish. Anything marked as either Draft or Pending Review is not available to the public.

You can also set your post as a Draft that will publish in the future:

• Click Immediately next to “Publish”
• You can either publish it now or you can set a date and time when it will automatically publish itself. This is another way to control visibility. Items will be invisible until the magic date arrives then everyone can see them.

---

Option #2: Public / Password protected / Private

On the same panel as Option 1, click “Public” next to Visibility. You now have some new options:

• Public: Everyone who comes to the website can see it.
• Password Protected: Only people who have the password for this article can see it.
• Private: This option hides the content from the public completely. But administrators, publishers and editors can see it, so it’s not completely private, but access is definitely restricted.

Password protected entries are still not visible to registered users. When you choose password protected, you create a new password just for that page. User passwords won’t work. The only way they can get the password is if an administrator gives it to them. Anyone who can edit the page or post will be able to view or change the password.

Option #3: User roles

Options 1 and 2 provide good privacy for a basic blog. However, many sites need more flexibility. Some sites don’t want everyone logging into the administrator area. Others sites sell memberships and provide different content to differnet levels of users.

Before you can get more detailed over the content visibility of your content, you need to understand User roles.

Go to Users > Add New and you can see when you add a new user there is an opportunity to put new users into one of five roles: Subscriber, Administrator, Editor, Author and Contributor. There is also a sixth role called called Super Admin that you’ll need to understand.

• Super Admin: This role can’t be assigned Someone with access to the blog network administration features controlling the entire network. This role is created when WordPress is installed.
• Administrator: Somebody who has access to all the administration features.
• Editor: Somebody who can publish and manage posts and pages as well as manage other users’ posts, etc.
• Author: Somebody who can publish and manage their own posts.
• Contributor: Somebody who can write and manage their posts but not publish them.
• Subscriber: Somebody who can only manage their profile.

If you want a detailed list and explanation of each role and the capabilities of each, you should visit the WordPress Codex: http://codex.wordpress.org/Roles_and_Capabilities.

• Plugins will can expand the roles available. Above is a the list of roles available on another site. Customer and Shop Manager were added when I installed WooCommerce on the site.

• You can also decide what role is automatically given to new users. Go to Settings > General and there you can define the New User Default Role. This means that whenever someone joins, the are automatically assigned the role you picked for them. The only way to change the role is if the administrator edits the user record and assigns a new one.

---

Option #4: Expanded User Roles and Capabilities

WordPress ships with the six default roles that we saw in Option 3, but plugins add to this list and so can you.

Plugins such as Capability Manager Enhanced allow you to change user roles capabilities easily. You can read our detailed Capability Manager Enhaned tutorial here.

The image below shows Capability Manager Enhanced. You can check the capabilities you wish to give to each user role and click “Update” button to save your changes.

Some other Capability Manager Enhanced features:

• Unnecessary roles can be deleted if there are no users whom such role is assigned.
• The default user role can be changed.
• Capabilities could be assigned on per user basis.
• You can add new capabilities and remove unnecessary capabilities which could be left from uninstalled plugins.
• Multi-site support is provided.

PressPermit is another comprehensive access control solution, giving you CMS-like control of reading and editing permissions. Assign restrictions and roles to specific pages, posts or categories. This is a slightly different concept. because it adds groups and focuses on content visibility and access control.

Your WordPress core role definitions remain unchanged, and continue to function as default permissions. User access is altered only as you expand it by assigning content-specific roles, or reduce it by setting content-specific restrictions. Here’ just a partial feature list.

• WP roles work as is or can be limited by content-specific Restrictions
• Role Scoper roles grant additional Read or Edit access for specific Pages, Posts or Categories
• Define User Groups and give them one or more RS roles
• Can elevate Subscribers to edit desired content (ensures safe failure mode)
• Control which categories users can post to
• Control which pages users can associate sub-pages to
• Supports custom Post Types and Taxonomies (when defined using WP schema by a plugin such as Custom Post Type UI

Option #5: Adding User Groups

The idea of groups adds another layer to the process of controlling access. It also gives you the capability to now start adding “levels” to your site membership. WordPress originally had Level 1, Level 2 members and that was changed to the roles model that we saw in Options 3 and 4.

Groups are intended to be used in conjunction with roles to differentiate capabilities. This is probably easiest to understand with a practical example:

Suppose you had 100 subscribers. 25 of those want to wanted to read your WordPress blog, 25 of them want to read your Drupal blog, some want to read your Joomla blog, and the rest want to read everything. They are all described by a single user role, but based on their interests they fall into four different groups.

• WordPress Blog readers.
• Drupal Blog Readers.
• Joomla Blog Readers.
• Everything Readers.

They are all using the same role so they all have the same role capabilities, but they fall into different groups. Each group has to have it’s own capability rules.

You need plugins to add groups to your WordPress installation. Groups is a great example. Some of it’s features:

User groups:

• Supports an unlimited number of groups.
• Users can be assigned to any group.
• Supports group hierarchies with capability inheritance.

Access control:

• Built-in access control that allows to restrict access to posts, pages and custom content types to specific groups and users only.
• Control access to content by groups: shortcodes allow to control who can access content on posts, show parts to members of certain groups or to those who are not members Shortcodes: [groups_member], [groups_non_member].
• Control access to content by capabilities: show (or do not show) content to users who have certain capabilities Shortcodes: [groups_can], [groups_can_not].