Setting up a well-made WordPress website takes a lot of thought, time and energy. During which you’ll take advantage of administrator-level access to do things such as install plugins and tweak settings. That’s great for the development phase of a project. But what if you need to set up access for non-technical members of an organization?
Depending upon who needs access, there are probably going to be certain features you’ll want block out. For example, users who are just logging in to edit content or moderate comments shouldn’t be able to deactivate (or, even worse, install) plugins. There may even be users who only need access to a specific blog category or custom post type.
Let’s take a look at a few ways to “wall off” pretty much anything in the WordPress dashboard from a few different angles.
User roles
As a savvy WordPress developer knows, the software comes with some user roles and capabilities built right in to the core. So just by assigning a user to the role of Editor (who can publish and manage their own posts along with those of other users) or Author (who can publish and manage only their own posts) you’ve essentially blocked out someone’s ability to access various settings. Those roles will also cut down on the number of menu options the user will see within the Dashboard.
If the user is just editing or adding or their own content on a pretty vanilla install of WordPress, this may be all you need to do.
Tweaking roles
For cases where the standard roles and capabilities aren’t enough, you may find that you’ll need to either edit or create new user roles. That’s very helpful in cases where a non-admin user may need to access a specific plugin (like a slideshow or photo gallery plugin) or perform certain tasks (like creating user accounts).
Using a plugin such as the venerable User Role Editor or WPFront User Role Editor can help you tweak existing roles or create new ones. While the plugins are fairly safe, you will want to test out any changed or added roles to ensure there aren’t any undesired consequences.
Tip: For those of you who need to create or edit roles specific to a custom post type, there is a catch. By default, WordPress treats custom post types just like standard pages or posts (depending on how the post type was set up). To provide more granular control over a custom post type, read Ross Johnson’s excellent tutorial on creating custom capabilities for post types. It also provides an example of setting up a user role with the add_role function as opposed to a plugin.
Hide unnecessary menus
While the Editor and Author user roles will automatically block out some menus from the WordPress dashboard, there are times when you’ll want cut things down even further. For example, I recently worked on a site where a specific user role was going to access just a single custom post type – and nothing else. By hiding all other menu items, there would be no confusion for the user as to where they were supposed to go to edit content. They also couldn’t snoop around in areas where they had no privileges.
The cleverly-named Adminimize plugin provides an easy way to exercise granular control over menus. You can hide entire menus or just certain sub-menu items from specific user roles.
If you’d rather accomplish this through code, you can use the built-in remove_menu_page or remove_submenu_page functions to remove unnecessary menus and sub-menu items.
Please note that simply hiding menus alone doesn’t prevent access by a user. You will need to modify or create new user roles in order to accomplish that.
Wrapping up
The great aspect of customizing access and capabilities for WordPress users is that we can adapt these methods to virtually any situation that arises. Different organizations will have varied needs for who needs access to the back end of their website. Thankfully, WordPress makes it easy to tweak things to the point where users can see and access only what they need to.
