Understanding users and roles
Video: Understanding users and rolesIn this screencast we will explore how WordPress uses roles and capabilities to handle its registered users. A good understanding of this helps keep users where they're supposed to be and away from things they shouldn't be messing with. Here at our demo site, let's click on the Users Link in the Users menu to see a list of all of our users for this site. Here we see the admin and four others. WordPress gives us an overview of their names, emails, and roles. To better understand what we're looking at here, let's check out a visual showing the default roles used by WordPress.
- Next steps
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Understanding users and roles
In this screencast we will explore how WordPress uses roles and capabilities to handle its registered users. A good understanding of this helps keep users where they're supposed to be and away from things they shouldn't be messing with. Here at our demo site, let's click on the Users Link in the Users menu to see a list of all of our users for this site. Here we see the admin and four others. WordPress gives us an overview of their names, emails, and roles. To better understand what we're looking at here, let's check out a visual showing the default roles used by WordPress.
In WordPress there are five different roles: administrator, editor, author, contributor, and subscriber. Each of these different roles is granted a default set of privileges called capabilities. If needed, a role's capabilities may be changed using a plug-in or theme function. As expected, the user who installs WordPress is the administrator. Administrators can do it all. They can install plug-ins and themes, create and manage users, manage options and settings, and import and export content-- plus they can do everything that all of the other roles can do.
Editor capabilities include moderating comments, managing categories, publishing, and editing posts and uploading files-- plus they can also do everything that authors and contributors can do. Author capabilities include editing and publishing, deleting posts, and uploading files--plus everything that the other two roles can do. Contributor capabilities are simply edit and delete posts. Plus they can read, which is the only thing that subscribers can really do.
Subscribers can read, similar to regular visitors, but subscribers are actually registered with your site. When WordPress multisite is enabled the administrator becomes super admin, Super admin can manage the network of sites, manage users, and manage all network themes and options. Plus super admins have all the same capabilities as regular administrators. Let's check out the super admin and see what it looks like when multisite is enabled. First returning to our Users page in the Admin area, we see the various roles listed here.
Notice that there are two administrators at this point: Admin and Roger. The Admin user is the one that installed WordPress, and then later somehow Roger was added also as another administrator. Once multisite is enabled, both of these administrators will become super admins. To see this, let's pause to enable multisite mode. Now with multisite enabled, we click the Network Admin link in the upper right-hand corner and then go to the Users page by clicking on the Users link in the Users menu.
As seen here, the two administrators have assumed super admin capabilities now that multisite is enabled. But let's say we want Roger to be a regular non-super admin. To do this, we click on his username and then uncheck the option to grant this user super admin privileges, and then we click the Update User button to save our changes. After saving our changes, let's click Back to Authors and Users to verify on the User Settings page.
And yes, we now have only one super admin user, as seen here. Returning now to single site mode, we click on the Users menu link and we see that there are still two administrators listed in the Role column, so we see that the super admin stuff only happens when working in multisite mode. Finally, let's change the role of a user. To do this, we click on the user's Edit link and go to the Role dropdown menu to change the user's role to whatever we wish. Then we scroll down and click Update User to save our changes.
Returning to the Users page, we can verify that the user's role was changed to author. Remember, a good user management strategy is to give out only as many capabilities as is needed for each user. And the take-home message here is that WordPress provides a powerful, flexible user role system that will help you effectively and securely manage your users. Understanding how this system works will help you better manage your users and keep everyone exactly where they're supposed to be.
There are currently no FAQs about WordPress 3: Developing Secure Sites.