One of the key features in WordPress that is often overlooked is that there are a number of different user roles available. These user roles can help make insure that only the people have access to just the areas they need and also helps minimize the chances of any accidents happening that could potentially bring down the site. in this article we will look at those user roles briefly and also go into how to create your own custom roles.
User roles have been an important part of the WordPress experience since version 2.0. Most people don’t even know they exist and assign administrator rights to everyone who has access to their site dashboard (obviously not a good thing for a whole bunch of reasons). Off the shelf, WordPress comes with six default user roles:
- Administrator: someone who has access to all the administrative features and functions within a site.
- Editor: someone who can publish and manage posts of all users, including their own.
- Author: someone who can publish and manage their own posts.
- Contributor: someone who can write and manage their own posts but can’t publish them.
- Subscriber: someone who can only manage their profile.
Why Use Custom User Roles?
For the most part the default user roles are all that are needed. But there are cases where you need a user role that doesn’t fit in with the parameters of the default roles. And in this article I’ll show you how to create your own custom user roles without using a plugin.
Lets put a real world spin on why you would want to use Custom User roles. I typically use Custom User roles to make sure my clients only have access to what they need. I’m sure there are people who will debate that it is the client’s site and they should have admin access as the owner. And that’s fine if you don’t have a maintenance agreement with the client and are just handing the site over to the client and moving on to the next project.
But if you’re responsible for making sure the site stays up 24/7, then I recommend restricting the access of the client through a custom user role. That way I can give the client everything they need to make their site effective, like add content, maybe add events whatever they need to do. What they can’t do is things that can bring the site down or mess-up some functionality. I restrict things like access to add or remove plugins, themes, update core, all the kinds of things I’d want to do as part of my ongoing maintenance.
But lets start with a quick review of the basics, shall we?
Basic WordPress Functions
In order to manage roles and capabilities effectively, there are five very straightforward functions:
- add_role(): Enables you to add a custom role.
- remove_role(): Enables you to remove a custom role.
- add_cap(): Enables you to add a custom capability to a role.
- remove_cap(): Enables you to remove a custom capability from a role.
- get_role (): Gets information about a role as well as the capabilities associated with the role.
We are only going to use the add_role() function for this article as we are going to create a custom user role for our fictitious client.
Defining The User Role
So before we dive into the code we need to have a plan, because diving into code without a plan is never a good idea.
So we need to give the user role a name. We’ll keep it simple and call the user role ‘Client’.
So what can the user role ‘Client’ actually do? There are over 50 different capabilities available in a clean install of WordPress (the number increases once you start adding plugins, but we’ll go over that in another article). For our purposes we want the client to be able to do the following:
- Create posts
- Edit posts
- Edit Others posts
- Manage categories
- Edit Pages
Equally important is what we don’t want them to be able to do:
- Edit themes
- Add or Remove Plugins
- Update core
Writing the Code
We are going to put this code into the functions.php file for our active theme. So lets start by adding this to the file:
// Add a custom user role $result = add_role( 'client', __( 'Client' ), array( ) );
By adding that piece of code, you have technically created a new user role (you can check it in the drop down on the Add New User page and it should be there). The problem is this user role has no functionality assigned to it. So the next step is obviously to add the functionality we had previously identified in our requirements above. Just add the
array code to what you have already entered into your functions.php file.
// Add a custom user role $result = add_role( 'client', __( 'Client' ), array( 'read' => true, // true allows this capability 'edit_posts' => true, // Allows user to edit their own posts 'edit_pages' => true, // Allows user to edit pages 'edit_others_posts' => true, // Allows user to edit others posts not just their own 'create_posts' => true, // Allows user to create new posts 'manage_categories' => true, // Allows user to manage post categories 'publish_posts' => true, // Allows the user to publish, otherwise posts stays in draft mode ) );
That will give us the functionality we want the client to have but we still need to restrict them from doing things that could potentially cripple the site. So lets add that now.
// Add a custom user role $result = add_role( 'client', __( 'Client' ), array( 'read' => true, // true allows this capability 'edit_posts' => true, // Allows user to edit their own posts 'edit_pages' => true, // Allows user to edit pages 'edit_others_posts' => true, // Allows user to edit others posts not just their own 'create_posts' => true, // Allows user to create new posts 'manage_categories' => true, // Allows user to manage post categories 'publish_posts' => true, // Allows the user to publish, otherwise posts stays in draft mode 'edit_themes' => false, // false denies this capability. User can’t edit your theme 'install_plugins' => false, // User cant add new plugins 'update_plugin' => false, // User can’t update any plugins 'update_core' => false // user cant perform core updates ) );
How To Determine If The User Role Is Set Up Properly
Making sure your new user role is working as intended requires you to set up a new user with the appropriate role, log out and log back in as the new user.
Depending on what capabilities you’ve allowed and what you have denied, the first thing you should notice is a change in what’s available in the dashboard. The image below shows you what you would see if you set up the client role as we did above.
As you can see, the options available to this user are greatly reduced as a result of what has been allowed and what has explicitly been denied. You now have some piece of mind as a developer/site manager that you hopefully won’t be getting that call saying “I don’t know what happened, but all of a sudden my site isn’t there.”