How To Control WordPress User Permissions Effectively Using The User Role Editor
The WordPress user system controls what users can and cannot do on your website. This includes administrative tasks, writing content, approving content, plugin and theme management, and more.
Out of the box, there are five user roles available with WordPress. I am sure you are all aware of these roles; however let us review them quickly before moving on.
The five default user roles are:
- Administrator – Has access to all administrative options and features.
- Editor – Can manage and publish posts. Traditionally, editors review posts submitted by contributors and then schedule them for review.
- Author – Can publish their own posts when they wish.
- Contributor – Can write posts but cannot publish them. Instead, they need to submit their posts for review.
- Subscriber – Has basic functionality such as changing their profile and leaving comments.
Unfortunately, the default version of WordPress does not allow you to change what particular user roles can and cannot do. Nor does it allow you to create your own custom user groups.
This can be restrictive when running a multi author website. Take the contributor user role, for example. The contributor user role allows users to delete posts. This is not always ideal as a situation could arise where a writer deletes their article after being paid for it (rare, but still possible).
Contributors are not permitted to upload files either. Therefore, they cannot upload images to their articles. Due to this, I always manually change the permissions of the contributor user role so that they can upload images. The plugin I use to do that is User Role Editor.
User Role Editor
User Role Editor can be installed directly through your WordPress admin area. Alternatively, you can download the plugin from the official WordPress plugin directory and then upload the files manually using file transfer protocol.
You will find User Role Editor under the Users menu once you have activated the plugin.
The plugin is straight forward to use. The user role can be selected at the top of the page. This list includes all default user roles and any custom user roles you have created.
Once you have loaded a user role profile, you will see a list of what a user assigned to that user role can and cannot do. To change permissions for a user role, check or uncheck the field for that capability. All capabilities can be enabled or disabled using the “Select All” and “Unselect All” buttons at the right hand side of the page.
User Role Editor does not only support core capabilities. The plugin also lists capabilities for any additional functions you have defined through your theme or through plugins.
New roles and capabilities can be added and deleted through the main User Role Editor page too. If you are basing a new user role on an existing user role (e.g. author), you can choose to copy permissions from that role. This saves you from having to enable all capabilities again.
Capabilities can also be defined on a user level. You will see a link to the user capabilities page in the WordPress user list page.
Controlling user permissions on a user level is useful when you want to change the capabilities of a specific user.
For example, say you have a group of ten authors writing for your blog. Each author sticks to the publishing schedule that you have developed for your writing team, except one. That particular author does not understand WordPress correctly and frequently publishes articles on the wrong day or time. Rather than remove them from the author role or create a completely new user role for them, you can simply remove the permission that allows them to publish posts.
A basic settings page can be found within the settings area for User Role Editor. Settings include displaying the administrator user role within User Role Editor, showing capabilities in a more readable form and showing capabilities that have since been deprecated (i.e. capabilities that have been superseded by more relevant capabilities).
The default roles settings page lets you define what user role users are assigned when they sign up to your website. This can be useful if you are using a forum plugin such as bbPress, but be careful about changing the default user role from subscriber on normal blogs and websites, as you will give permissions to anyone who signs up. On most setups, it is safer to manually upgrade users to the desired user role instead.
If you have ever felt restricted by the default capabilities of WordPress user roles, I encourage you to give User Role Editor a try. It gives you complete control of the WordPress user system and will help you manage your users in whatever way you see fit.