Access Control in WordPress with Advanced Access Manager
There is one reason I keep hearing over and over again from people who don't use WordPress: there's no access control. For large organizations, it's essential to have close control over what users can and cannot do on our site. Drupal and Joomla both have powerful access control systems in the core.
With WordPress, if you choose the right plugin, it is still possible to have close control over what your users can and can not do. We're going to show you how with the Advanced Access Manager plugin.
Advanced Access Manager
Go to Plugins > Add New in your WordPress admin area.
Search for and install the Advanced Access Manager plugin.
Once the plugin is active, you'll see a new AAM Group tab in the left-hand menu.
Click this link and you'll see the main Advanced Access Manager (AAM) Dashboard.
As a reminder, there are five default roles in WordPress: Administrator, Editor, Author, Contributor and Subscriber. All of these roles are very general and, by default, can not be customized.
User Roles form the basis of permissions in WordPress. In most cases, it's best to put a user into a role and apply permissions to that role, rather than trying to apply permissions directly to the user.
In order to follow this tutorial, I would recommend clicking Users in the left-hand menu and creating a user in the Editor role. We're going to use them to show how AAM works.
AAM gives you customize your user access in four important ways. These are listed across the top of the dashboard:
Under the Main Menu tab you can control the links that users see in the left-hand menu.
There are three important things to remember here:
- Make sure that you have the right user role selected on the right-hand side of the page.
- When you check a box, you are denying that group access to see that link.
- Not all of the user roles can see all of these links anyway. By default, only Administrator can see all of the links.
So, let's take an example. You have a user in the Editor role. When they login, normally they will see the following links:
You can change that. First, make sure that Editor is selected on the right-hand side of the page next to Current Role. Then click on Links. Remember that this will deny them access to those options.
There are three way to test this new account:
- Log-out and then log-in again using your Editor role.
- Log-in as the Editor using a different browser.
- Use the User Switching plugin.
However you do it, when the Editor logs into the site now, the image below shows what they see. Links has disappeared from the menu.
Even if they know the URL and try to access the Links are directly, they'll get this message:
Metaboxes & Widgets
This option controls what users see on their dashboard when they login. This is what the Editor sees normally:
By using AAM, you can remove a large number of these widgets from the dashboard and also from the Posts and Pages screen. All you need to do is click Restrict next to each box:
You can be a very comprehensive job of cleaning up not only the Dashboard, but also those Post and Pages screens. In the image above, I've only left the first box unchecked for the Editor. As a result, here's what the new Dashboard looks like:
If I repeat that process with Posts and only leave the first box unchecked, this is what the Editor would see:
Think back. A little earlier, when controlling what people could see in the Main Menu, we said "Not all of the user roles can see all of these links anyway. By default, only Administrator can see all of the links."
Well, the reason that some user roles can't see those links is that they don't have the correct Capabilities. For example, these are the Capabilities that the Editor has:
They can not do any of these things:
- Activate Plugins
- Add Users
- Create Roles
- Create Users
And that's just in the first row of capabilities. The Administrator will have all of these boxes checked by default.
If you go through the list of Capabilities and check all of the boxes that mention the word Users or Roles, you'll give your Editor full power over the Users on your site. They will now see this when they login:
Don't worry if you don't know what all of the capabilities mean. If you have over the small information icon next to each capability, you'll get a description. This is the description for Edit Theme Options.
This is one of the most common requests we get. The process is a little unintuitive but it is possible to restrict user groups to certain categories. Here's how it works.
First, let's imagine we have a category for our Marketing, one for Sales and one for our Products. If you click on Posts > Categories, this is what you'll see.
We want to create a user role called Marketing Team and users in this role will only have access to post in the Marketing category.
First, make sure there is a post in the category, even it is only dummy content. This is more of the more unintuitive steps.
Now go to AAM Group and create a new role called Marketing Team:
Make sure that Marketing Team is selected under Current Role on the right-hand side of the page.
Click Posts & Pages. Click Posts and you'll see the available categories.
Click each role and you'll get control of whether this category can be seen.
Here's what to do:
- Check Restrict Admin and Restrict Front for each category. Again, you're focused on denying permissions rather than giving them.
- Make sure to check Update Current. Do not check Update All otherwise you'll be changing the permissions for all of the roles. This is an easy mistake to make.
Now we are ready to let the marketing team into our site,
Go to Users > Add New and a new user in the Marketing Team role.
When this new user logs in and goes to write a new post, this is all they will see:
Advanced Access Manager Summary
Advanced Access Manager is a powerful way to control who can do what on your WordPress site.
A note of caution: access control is a naturally difficult and time-consuming task. It will take you a while to learn how to use AAM. It took me several hours and several strong cups of coffee to understand how it works. Not everything is as intuitive as it could be. That was true of learning access control in Joomla and Drupal too.
However, give it time, practice and experiment with how it works. You'll be rewarded. Thanks to AAM, WordPress can have access control that is similar to Joomla and Drupal.