Power Up Your Users With The User Role Editor Plugin
A wise man once said, “With great power comes great responsibility.” In WordPress this comes in the form of user roles which permit different access levels to parts of a WordPress site.
The principle of least privilege in IT is a good one to follow. Only the most trusted users should have the greatest access, so that the integrity and security of a site or network of sites can be preserved.
What are the WordPress user roles?
WordPress has six built-in user roles. They are:
- Super Admin: multisite only; has network administration capabilities.
- Administrator: the top-level role for a single site; can perform all actions, except where multisite is enabled.
- Editor: can create, edit, publish and delete posts and pages, moderate comments and upload files.
- Author: can publish their own posts, and upload files.
- Contributor: can draft and edit their own posts.
- Subscriber: can log in and edit their profile only.
Roles are associated with capabilities. The more capabilities a user role has, the more actions they can perform.
Imagine a school. A janitor will have keys to access different rooms in the school. A teacher can access the staff room and classrooms but will only have keys to their own classroom. A student can visit most classrooms, but won’t have any keys at all.
In a standard WordPress install, the Administrator role has the most capabilities for a single site; for a multisite it’s the Super Admin.
The WordPress Codex has a full list of capabilities associated with user roles.
For example, Contributors have the following capabilities:
edit_posts: create and edit (but not publish) their own posts
delete_posts: delete their own posts
read: access and edit their own profile
Plugins and user roles
Custom user roles can be created by plugins. For example, WooCommerce adds two more roles:
- Shop Manager: shop management capabilities (can view/change all options in the WooCommerce and Products menus). This equates to WordPress’ Editor role.
- Customer: can view orders, order history and view/edit their account.
An Administrator or Super Admin can add a new user and assign the Shop Manager role. A Customer role is created when someone registers to buy on an online shop.
bbPress adds another five roles. In order of privilege, from most to least, they are:
Unlike WooCommerce roles, bbPress roles are separate from the WordPress user role system and do not show in the standard dropdown list of roles.
Individual users gain the Participant role by participating in a forum. Admins can also assign a user a forum role by editing their profile.
Custom user roles
Most of the time the pre-defined user roles will be adequate, but there are a few cases where you might need a more bespoke implementation. Going back to the school analogy, there might be a head janitor who owns keys for certain rooms that the other janitors don’t have.
That’s where the User Role Editor plugin comes in. It allows more fine-grained control over role capabilities. You can power up your users, but keep them in check.
With User Role Editor you can:
- Add your own roles and set their capabilities
- Rename roles
- Add capabilities to roles
- Delete roles
- Create your own capabilities
You can also change roles and capabilities for individual users.
You may be pleased to know that User Role Editor is GDPR compliant.
A quick tour round User Role Editor
Plugin settings are at Settings > User Role Editor, where you can tweak a few settings and also reset all the roles to their defaults. There’s a big warning that you’ll lose any changes you made with a reset.
Go to Users > User Role Editor to edit roles.
Show capabilities in human readable form makes the capabilities a little clearer to read.
Granted shows only capabilities that a role has already.
The Quick filter is handy if you know a capability name you want to change but can’t spot it in the list. It highlights the name in green.
Switching user roles when testing modifications
You will find the User Switching plugin a time-saver. It allows you to change from one user to another with one click. This saves you the bother of logging out and in again as the new user.
The one role I found problematic using this method was the Subscriber role. There was no admin bar shown on my install for a subscriber, so I had no easy way to switch back to an administrator without logging out and logging back in.
Make sure you test out fully any capability changes: you don’t want your users being able to access something unexpected!
Changing default role capabilities
Contributors: uploading media
On a multi-author blog such as the WPMU DEV blog, posts are sent for moderation before publishing. The natural role to fit is the Contributor role, but this role doesn’t let writers upload images (a fairly essential task!)
The capability to add is
upload_files, which is within the General Core section.
This allows the user to add media to posts. Users may see other buttons next to Add Media – it depends on what plugins you have installed.
Contributors who can upload media can see and use all files in the Media Library, unlike posts, where they can only view their own.
Editors: managing widgets and menus
Editors can’t access any options in the Appearance menu, which means that they can’t administer widgets or menus. There are times when this would be useful.
The simplest option is to change the capabilities of the Editor role. The relevant capability within the Themes group –
This gives the capability to see most of the options in the Appearance submenu.
While the user can’t switch the theme, or edit the PHP code, they can customize it and make other changes. The issue is that the
edit_theme_options capability combines a few different permissions. Is there anything we can do about this?
One possibility is to remove the menu items and options we don’t need our Editors to have. For the Storefront theme, we need two functions to do it, which we can add to a child theme.
This is the result:
Note that this is not completely foolproof. The menu options won’t be shown but the pages still exist. A canny Editor could still see them and get up to mischief by typing in the URLs direct.
Editors: viewing and editing users
Only Administrators or Super Admins can see the Users menu. Imagine a large multi-user site running BuddyPress or bbPress. There will be a large number of users, but few admins to manage them.
To get around this, you can add two capabilities for Editors:
This allows your Editors to see the list of users, edit their profiles and change their role. An Editor cannot promote a user above Editor level.
If you’re using User Switching, your Editor also has the Switch To option, but he/she won’t be able to switch to an Administrator or Super Admin account.
The Administrator role is missing from this Editor’s Users view
If you really trust your Editors, you can grant the
delete_users permission as well.
Creating a custom role: WooCommerce Shop assistant
To create a new role, you can start with a blank slate, or by copying an existing role. Let’s say we’d like a Shop assistant who can view products plus add, edit and publish their own products. But we don’t want this role to edit or delete existing products.
I’ve started with a Contributor role and added the following WooCommerce capabilities:
assign_product_terms:to assign a category or a tag to a product
delete_product: to delete a single product they’ve created
delete_products: to bulk delete their own products
delete_published_products: to delete their own published products
edit_product: to create and edit their own products
edit_product_terms: to change category or tag on their own products
edit_products: to bulk edit their own products
edit_published_products: to edit their own published products
publish_products: can publish their own products
read_product: can view products
The Shop assistant can also import a CSV of products.
This custom role also has the following WordPress capabilities:
Custom bbPress roles
As mentioned earlier, bbPress roles don’t show up with the other roles.
bbPress does not store its role at the database as WordPress does. bbPress creates its role on a fly via PHP code for every page load. bbPress roles are not supported by a free version of User Role Editor for this reason. URE excludes them from the processing by design. Full support for bbPress roles, including editing is realized at Pro version of User Role Editor.
Renaming is only an option for roles you have made, and you can only change the role name, not the role ID.
You can only delete roles that you’ve created, and only if no users are assigned that role. You must remove all users from a role first in order to delete it.
Changing individual user capabilities
You can get even more granular by editing individual users and their capabilities. Simply go to the user profile and click on the Edit link next to Capabilities. You can then add to or take away their powers!
Adding and deleting capabilities
If you’re a plugin developer you might want to add your own capabilities. You can read more about creating capabilities in the Codex.
Capabilities can also be taken away e.g. ones from old plugins. Don’t use this option unless you know what you’re doing. Note that WordPress capabilities can’t be deleted.
User Role Editor provides a simple UI to change your users’ abilities. Before changing or adding roles, though, make sure that:
- there’s a good use case for doing so
- you test your changes on a staging site before going live
- you’ve tried out the new role thoroughly – you don’t want your superhero users to become supervillains!