The key features of WordPress that is often overlooked is that there are a number of different user roles available. These user roles can help make insure that only the people have access to just the areas they need and also helps minimize the chances of any accidents happening that could potentially bring down the site. in this article we will look at those user roles briefly and also go into how to create your own custom roles.
User roles have been an important part of the WordPress experience since version 2.0. Most people don’t even know they exist and assign administrator rights to everyone who has access to their site dashboard (obviously not a good thing for a whole bunch of reasons). Off the shelf, WordPress comes with six default user roles:
Administrator: someone who has access to all the administrative features and functions within a site. Editor: someone who can publish and manage posts of all users, including their own. Author: someone who can publish and manage their own posts. Contributor: someone who can write and manage their own posts but can’t publish them. Subscriber: someone who can only manage their profile.
Why Use Custom User Roles?
The most part the default user roles are all that are needed. But there are cases where you need a user role that doesn’t fit in with the parameters of the default roles. And in this article We’ll see how to create custom user roles without using a plugin.
Lets thought on why we want to use Custom User roles. Typically use Custom User roles to make sure that clients only have access to what they need.
But if you are responsible for making sure the site stays up 24/7, then We recommend restricting the access of the client through a custom user role. That way We can give the client everything they need to make their site effective, like add content, maybe add events whatever they need to do. What they can’t do is things that can bring the site down or mess-up some functionality. We restrict things like access to add or remove plugins, themes, update core, all the kinds of things We’d want to do as part of my ongoing maintenance.
But lets start with a quick review of the basics, shall we?
Basic WordPress Functions
In order to manage roles and capabilities effectively, there are five very straightforward functions:
add_role(): Enables you to add a custom role. remove_role(): Enables you to remove a custom role. add_cap(): Enables you to add a custom capability to a role. remove_cap(): Enables you to remove a custom capability from a role. get_role (): Gets information about a role as well as the capabilities associated with the role.
We are only going to use the add_role() function for this article as we are going to create a custom user role for our fictitious client.
Defining The User Role
So before we dive into the code we need to have a plan, because diving into code without a plan is never a good idea.
So we need to give the user role a name. We’ll keep it simple and call the user role ‘Customer’.
So what can the user role ‘Customer’ actually do? There are over 50 different capabilities available in a clean install of WordPress (the number increases once you start adding plugins, but we’ll go over that in another article). For our purposes we want the client to be able to do the following:
Edit Others posts
Equally important is what we don’t want them to be able to do:
Add or Remove Plugins
Writing the Code
We are going to put this code into the functions.php file for our active theme. So lets start by adding this to the file:
// Add a custom user role $result = add_role( 'customer', __( 'Customer' ), array( ) );
By adding that piece of code, you have technically created a new user role (you can check it in the drop down on the Add New User page and it should be there). The problem is this user role has no functionality assigned to it. So the next step is obviously to add the functionality we had previously identified in our requirements above. Just add the array code to what you have already entered into your functions.php file.
// Add a custom user role $result = add_role( 'customer', __( 'Customer' ), array( 'read' => true, // true allows this capability 'edit_posts' => true, // Allows user to edit their own posts 'edit_pages' => true, // Allows user to edit pages 'edit_others_posts' => true, // Allows user to edit others posts not just their own 'create_posts' => true, // Allows user to create new posts 'manage_categories' => true, // Allows user to manage post categories 'publish_posts' => true, // Allows the user to publish, otherwise posts stays in draft mode ) );
That will give us the functionality we want the client to have but we still need to restrict them from doing things that could potentially cripple the site. So lets add that now.
// Add a custom user role $result = add_role( 'customer', __( 'Customer' ), array( 'read' => true, // true allows this capability 'edit_posts' => true, // Allows user to edit their own posts 'edit_pages' => true, // Allows user to edit pages 'edit_others_posts' => true, // Allows user to edit others posts not just their own 'create_posts' => true, // Allows user to create new posts 'manage_categories' => true, // Allows user to manage post categories 'publish_posts' => true, // Allows the user to publish, otherwise posts stays in draft mode 'edit_themes' => false, // false denies this capability. User can’t edit your theme 'install_plugins' => false, // User cant add new plugins 'update_plugin' => false, // User can’t update any plugins 'update_core' => false // user cant perform core updates ) );
User Role Is Set Up Properly?
WordPress Sidebar Making sure your new user role is working as intended requires you to set up a new user with the appropriate role, log out and log back in as the new user.
Depending on what capabilities you’ve allowed and what you have denied, the first thing you should notice is a change in what’s available in the dashboard. The image below shows you what you would see if you set up the client role as we did above.