The WordPress Guide to User Access and User Roles
One of the questions we get often from WordPress students: “How do I control what users can and cannot do on my site?”
There are lots of possible answers to this, and we’re going to give you an introduction to many of them in this tutorial.
Option #1: Published / Draft / Pending Review
By default, WordPress allows you to have a basic approval process for posts.
When you start writing a WordPress post, look up in the admin toolbar. In the top right corner, you will see the “Save draft” link. Everything you write is automatically a Draft and will remain so until you publish it. Drafts are not visible to anyone but your site’s Administrators and Publishers.
- If you check the “Pending Review” box, this flags it for review by the site Administrators or Editors. Anything marked as either “Draft” or “Pending Review” is not available to the public. This guide explains the difference between Draft and Pending Review.
If you want to add more than Draft and Pending Review, try the PublishPress Statuses plugin. You can also set your post so that it will publish in the future:
- Click Immediately next to “Publish”
- You can either publish it now or you can set a date and time when it will automatically publish itself. This is another way to control visibility. Items will be invisible until the magic date arrives then everyone can see them.
Option #2: Public / Password protected / Private
On the same panel as Option 1, click “Public” next to Visibility. You now have some new options:
- Public: Everyone who comes to the website can see it.
- Password Protected: Only people who have the password for this article can see it.
- Private: This option hides the content from the public completely. But Administrators and Editors can see it, so it’s not completely private, but access is definitely restricted. Here’s a guide to Private posts in WordPress.
Password protected entries are still not visible to registered users. When you choose password protected, you create a new password just for that page. User passwords won’t work. The only way they can get the password is if an administrator gives it to them. Anyone who can edit the page or post will be able to view or change the password.
Option #3: User roles
Options 1 and 2 provide good privacy for a basic blog. However, many sites need more flexibility. Some sites don’t want everyone logging into the administrator area. Others sites sell memberships and provide different content to different levels of users.
Before you can get more detailed over the content visibility of your content, you need to understand User roles.
Go to Users > Add New and you can see when you add a new user there is an opportunity to put new users into one of five roles: Subscriber, Administrator, Editor, Author and Contributor.
- Administrator: Somebody who has access to all the administration features.
- Editor: Somebody who can publish and manage posts and pages as well as manage other users’ posts, etc.
- Author: Somebody who can publish and manage their own posts.
- Contributor: Somebody who can write and manage their posts but not publish them.
- Subscriber: Somebody who can only manage their profile.
- Plugins will can expand the roles available. Above is a the list of roles available on another site. Customer and Shop Manager were added when I installed WooCommerce on the site.
- You can also decide what role is automatically given to new users. Go to Settings > General and there you can define the New User Default Role. This means that whenever someone joins, the are automatically assigned the role you picked for them. The only way to change the role is if the administrator edits the user record and assigns a new one.
Option #4: Expanded User Roles and Capabilities
WordPress ships with the five default roles that we saw in Option 3, but plugins add to this list and so can you.
Plugins such as PublishPress Capabilities allow you to change user roles capabilities easily. You can read our detailed PublishPress Capabilities tutorial here.
The image below shows PublishPress Capabilities. You can check the capabilities you wish to give to each user role and click “Save Change” button.
PublishPress Permissions is another comprehensive access control solution, giving you CMS-like control of reading and editing permissions. You can assign restrictions and roles to specific pages, posts or categories.
Option #5: Adding User Groups
The idea of groups adds another layer to the process of controlling access. It also gives you the capability to now start adding “levels” to your site membership. WordPress originally had Level 1, Level 2 members and that was changed to the roles model that we saw in Options 3 and 4.
Groups are intended to be used in conjunction with roles to differentiate capabilities. This is probably easiest to understand with a practical example:
Suppose you had 100 subscribers. 25 of those want to wanted to read your WordPress blog, 25 of them want to read your Drupal blog, some want to read your Joomla blog, and the rest want to read everything. They are all described by a single user role, but based on their interests they fall into four different groups.
- WordPress Blog readers.
- Drupal Blog Readers.
- Joomla Blog Readers.
- Everything Readers.
They are all using the same role so they all have the same role capabilities, but they fall into different groups. Each group has to have it’s own capability rules.
You need plugins to add groups to your WordPress installation. Groups is a great example. Some of it’s features:
User groups:
- Supports an unlimited number of groups.
- Users can be assigned to any group.
- Supports group hierarchies with capability inheritance.
Access control:
- Built-in access control that allows to restrict access to posts, pages and custom content types to specific groups and users only.
- Control access to content by groups: shortcodes allow to control who can access content on posts, show parts to members of certain groups or to those who are not members Shortcodes: [groups_member], [groups_non_member].
- Control access to content by capabilities: show (or do not show) content to users who have certain capabilities Shortcodes: [groups_can], [groups_can_not].
Can you please tell me how can I re-lock a page after a viewer leaves it or refreshes screen? I am using Option 2: Public / Password protected / Private. Password Protected for one of our pages. However, I need to have it re-lock after the user leaves the page or refreshes the screen.
I have a wordpress site for design. I want to allow multiple users to have the ability to log in and create their won designs, use all of the functions of the site, but not have any access to each other’s designs or information.
Ideally, it would be great to have each users dashboard, function and experience seem as if they are the only user when they are logged in.
Is this possible?
nice
WordPress multisite might be the answer Jacqueline, new installs of WP have this feature inbuilt which you can turn on at the start and you can act as a super admin
Hello Everyone,
I have already read your article. I got the lot of thinks from there.This article and every comment is very helpful for everybody.However, I want to add something, and recently I just released the membership plugin in the wordpress repository who is called “rs-members”. Before developing I just studied existence all membership wordpress plugin.I got many problems from the those.As a result; I just tried to include many useful features.Without programming skill any guys can easily maintain this plugin. I hoped this plugin will be helpful fill up your all demand. .Guys you can visit my “rs-members” from wordpress repository.
[url=https://wordpress.org/plugins/rs-members]https://wordpress.org/plugi…[/url]
Thank you gentleman for patiently reading.