Hands on: User Access Management

posting box

Providing website users with appropriate capabilities and access is a powerful built-in feature of WordPress. It is an important and helpful tool for your users as well as the administrator(s).

It is important to get familiar with the basic roles that are always there, ready to use. Go ahead and check out the overview provided by the WordPress codex. The built in roles and capabilities might even suffice or only need minor changes.

The basic roles are:

Subscriber: Can only manage her profile.

Contributor: Is able to write and edit her own posts, but is not allowed to publish them.

Author: Is allowed to publish and manage her own posts (and pages).

Editor: Is allowed to publish and manage her own posts and the posts of other. This also applies to pages! However, she is not allowed to edit pages or posts created by an Administrator.

Administrator: Gets to do all the administrative stuff in a single install. Please note, if you have a multisite install there also is a super admin who needs to manage the network.

If you would like to go into more detail, Justin Tadlock wrote a very extensive post about it (prior to releasing his “members” plugin).

If these roles don’t suffice for your project, you have two options: You can either modify the capabilities of a user role or you create a completely new user role. In order to modify an existing user role you can utilize the add_cap() and the remove_cap() functions.

If that doesn’t work for you there is always the option to add new user roles to your project.

Adding a new user role “manually”

First, it is essential to sit down and figure out what the needs of your new user role really are. Let’s say we need to create a user role that is allowed to:

  • create posts
  • edit posts
  • publish own posts
  • delete own posts
  • edit own pages

We don’t want to allow this user role to:

  • edit themes
  • update themes
  • update plugins
  • install plugins
  • update core

You will be using the add_role() function. The code has to go into the functions.php file of your active theme. (You might want to try this on a child theme, especially if you are still a bit inexperienced working with WordPress.)

So head over to your functions.php and add the following code:

// Add a custom user role
$result = add_role( 'custom', __(
'Custom' ),
array( ) );

So far you only added the role of “Custom”, it doesn’t have a set of capabilities yet. However, if you go and try to add a new user you can already pick your new “Custom” user role.

Now we define the capabilities we picked above:

// Add a custom user role

$result = add_role( 'custom', __(

'Custom' ),


'read' => true, // true denotes activation of this capability

'edit_posts' => true, // Allows user to edit their own posts

'create_posts' => true, // Allows user to create new posts

'publish_posts' => true, // Allows the user to publish, otherwise posts stays in draft mode

'edit_pages' => true, // Allows user to edit pages

'edit_themes' => false, // false denotes deactivation of this capability. User can’t edit your theme

'update_themes' => false, // User cannot update themes

'install_plugins' => false, // User can't add new plugins

'update_plugins' => false, // User can’t update any plugins

'update_core' => false // user can’t perform core updates



In order to check whether this has worked create a new user assigned to your new user role and log in as your new user. If everything worked out you should get the dashboard with the options you assigned to your new user role.

If coding yourself is not your thing, there are quite a few plugins out there to do the job:

I like the simplicity of “members” by Justin Tadlock best (plus easy to digest documentation). Another one that worked well for client projects is Advanced Access Manager.

If you have any recommendations please let me know! I am sure there are more good options out there, I just never tried them.