One of the ways you can make your site social is to give special access to certain visitors: pages that only they can see or documents only they can download. These visitors could be your clients or members of your local association, or they could be anyone who wants to sign up. Whatever the case, you grant them this special access by making them Users in WordPress.
A User is someone who can log in to your WordPress site, and every User has one of five pos- sible Roles, which determines what they’re allowed to do when they’re logged in. What actions they’re allowed to take are referred to as Capabilities.
Now, it’s possible you’ll be the only User your site will ever have, but in most cases there are going to be at least some additional Users and this lesson is about how to manage them.
1. User Roles And Their Capabilities
As mentioned, five User Roles are built in to WordPress and, in order of decreasing capabili- ties, they are
- Administrator
- Editor
- Author
- Contributor
- Subscriber
In the case of Island Travel, with its two offices, I could have a single Administrator to take care of technical aspects of the site, and a single Editor who oversees all site content. Each travel agent could be an Author managing their own posts, with a few non-agency people who act as Contributors. Customers and potential customers could be Subscribers, who can view website content the public can’t see but have no control on the back end or administrative side of WordPress.
With these examples in mind, let’s go through each of the five User Roles in a bit more detail:
- Administrator—Has full access to every function in WordPress, including editing theme files, changing themes, and adding plugins, user details, and so on. You’ll want to limit how many Administrators you have, in part for security (if someone gets ahold of one of those pass- words, your site is wide open) and in part to minimize the need for coordination.
- Editor—The Editor role allows the maximum amount of control over all the content of the website, without changing settings that control the site itself, such as themes or plugins. Editors can add, edit, or delete any content-related items in WordPress, including Categories, Posts, and Pages. They have full access to the Media Library and can add and delete users (though not edit user information). One limitation on Editors which is not so obvious is that they can’t access Widgets or Menus because they’re blocked from the entire Appearance sec- tion of the main Admin menu.
- Author—Authors within WordPress are meant to be like columnists in a newspaper or magazine. They have full control over their own Posts (not Pages)—adding, editing, publish- ing, and deleting—but no one else’s. This includes the ability to upload files to use in their content. Authors cannot, however, add or delete Posts or Categories. They also can’t use unfiltered HTML—code such as JavaScript or certain HTML tags or attributes pasted from a program such as Dreamweaver.
- Contributor—Contributors can create, edit, or delete their own Posts, but they can- not publish them, only save drafts or submit for review. They also cannot upload files, even to their own Posts. And after a Post is published by an Editor or Administrator, a Contributor cannot edit or delete that Contributors appear on the Post Author drop-down menu and typically are included in lists of Authors that might be generated by themes or plugins.
- Subscriber—Think of a Subscriber as a registered visitor—someone who can see content or take actions on a site that unregistered visitors can’t. Basically, the only permission subscrib- ers have in the admin section is the ability to change their Profile (name, e-mail, interests, avatar, and so on).
For complete details on and an up-to-date list of each Role’s Capabilities, check out the WordPress site at http://codex.wordpress.org/Roles_and_Capabilities.
As stated earlier, these are the Roles built in to WordPress, but one of the powerful features of WordPress is the ability to not only add new Roles with their own unique sets of Capabilities, but to also change which Roles have which Capabilities. For example, you may want to give Editors the ability to create and edit Widgets, while still keeping them out of Themes. At the end of the lesson some plugins are mentioned that make use of these functions.
2. Adding A User
You can add a User to a WordPress site in two ways:
- A visitor filling out a registration form
- An Administrator adding a User through an admin screen
The registration form will mostly be used to sign up large numbers of visitors as Subscribers, while adding a user yourself through the Admin screen is usually limited to adding a few higher Roles, such as Editors and Authors.
2.1. User Registration Forms
By default, the registration form is disabled. You can activate it on the Settings ➪ General screen by checking the Membership box, as shown in Figure 26-1.
FIGURE 26-1
However, the best advice is to leave the automatic sign-up disabled. If you deal with a lot of mem- bership sign-ups, you’ll probably want to use a plugin anyway, and these plugins handle the sign-up process in a different manner. The word membership for that setting is a bit confusing because what you’re setting is the ability for people to register themselves as new users on the system. There is no User role called member and you may or may not think of the users who sign up as members. The wording on the drop-down menu just below is clearer: New User Default Role. In other words, you’re setting the Role that users will be assigned if they can register themselves, but it’s also the default Role in the drop-down menu when manually creating new users. By default, that role is Subscriber.
2.2. The Add User Function
To manually add a new User to the system, click Users ➪ Add New on the main Admin menu and you’ll be greeted with the Add New User screen, as shown in Figure 26-2.
FIGURE 26-2
Only three items are required to create a new User:
- Username
- E-mail address
- Password
Users can fill in the other details as they choose after they log in for the first time.
Always double-check which role you’re assigning to the User. (The default is Subscriber.) If you’d like the log in details sent to the User by e-mail, be sure to check the Send Password box. After users have their login information, they can change or fill in any of the fields on the Profile screen you saw in Lesson 5, “Basic Admin Settings” (except the username).
3. Changing A User’s Abilities
Need to promote a Contributor to Author status? Tired of another Administrator always switching themes and you want to bump them down to Subscriber?
An Administrator can change any User’s Role from the Users screen, as shown in Figure 26-3 A.
FIGURE 26-3
Check the box next to their name, choose a new role from the Change Role To drop-down menu, and click Change. If several Users need to be changed to the same Role, you can do them all at once by checking the box next to each, and then using the drop-down.
If you have additional information to change, you can do it all from the User’s Profile screen, as shown in Figure 26-3 B. Just below the username is the drop-down menu for their Role. Select the new Role and click Update Profile.
If you have a lot of users on the site, you can change the number of users displayed using the Screen Options menu at the top right. In addition, you can filter one particular Role at a time using the links at the top left of the Users screen.
4. Users And Security
Following are three key points concerning users and security:
- Choose the lowest possible Role—Don’t make someone an Editor when they just need to be an Author. The higher the Role, the more power you’re entrusting to the User. And if you turn on the self-registration feature, don’t allow users to sign up as anything more than Subscriber.
- Emphasize the importance of tough passwords—You may give new users a diabolical pass- word, but they can go in and change that later. Impress on them the need to not use natural language words, and to use uppercase and lowercase, numbers, and so on. WordPress has this reminder and a strength indicator that gives users an extra nudge; even better are plugins that force the use of strong passwords. A couple are mentioned at the end of the lesson.
- Monitor your users—The unexpected appearance of a User you’ve never heard of with a Role such as Administrator or Editor could be the sign of a hacker. You can quickly check for possible intruders by filtering the list of Users by Administrator or any other Role.