Lesson 45: Managing Multisite Users in WordPress

One of the ways you can make your site social is to give special access to certain visitors: pages that only they can see or documents only they can download. These visitors could be your clients or members of your local association, or they could be anyone who wants to sign up. Whatever  the case, you grant them this special access by making them Users in WordPress.

A User is someone who can log in to your WordPress  site, and every User has one of five pos- sible Roles, which determines  what they’re allowed to do when they’re logged in. What actions they’re allowed to take are referred to as Capabilities.

Now,  it’s possible you’ll be the only User your site will ever have, but in most cases there are going to be at least some additional Users and this lesson is about  how to manage them.

1. User Roles And Their Capabilities

As mentioned, five User Roles are built in to WordPress  and, in order of decreasing capabili- ties, they are

  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

In the case of Island Travel, with its two offices, I could have a single Administrator to take care of technical aspects of the site, and a single Editor who oversees all site content.  Each travel agent could be an Author  managing  their own posts, with a few non-agency  people who act as Contributors. Customers and potential customers  could be Subscribers,  who can view website content  the public can’t see but have no control  on the back end or administrative side of WordPress.

With these examples in mind, let’s go through each of the five User Roles in a bit more detail:

  • Administrator—Has full access to every function in WordPress,  including editing theme files, changing themes, and adding plugins, user details, and so on. You’ll want to limit how many Administrators you have, in part for security (if someone gets ahold of one of those pass- words,  your site is wide open) and in part to minimize the need for coordination.
  • Editor—The Editor role allows the maximum amount of control over all the content  of the website, without changing settings that control  the site itself, such as themes or plugins. Editors can add, edit, or delete any content-related items in WordPress,  including Categories, Posts, and Pages. They have full access to the Media Library and can add and delete users (though  not edit user information). One limitation on Editors which is not so obvious is that they can’t access Widgets or Menus because they’re blocked from the entire Appearance sec- tion of the main Admin menu.
  • Author—Authors within WordPress  are meant to be like columnists  in a newspaper  or magazine.  They have full control  over their own Posts (not Pages)—adding,  editing, publish- ing, and deleting—but no one else’s. This includes the ability to upload  files to use in their content.  Authors  cannot,  however, add or delete Posts or Categories.  They also can’t use unfiltered HTML—code such as JavaScript or certain HTML  tags or attributes pasted from a program such as Dreamweaver.
  • Contributor—Contributors can create, edit, or delete their own Posts, but they can- not publish them, only save drafts  or submit  for review. They also cannot  upload  files, even to their own Posts. And after a Post is published  by an Editor  or Administrator, a Contributor cannot  edit or delete that  Contributors appear  on the Post Author drop-down menu and typically are included  in lists of Authors  that  might be generated  by themes or plugins.
  • Subscriber—Think of a Subscriber as a registered visitor—someone who can see content or take actions on a site that unregistered  visitors can’t. Basically, the only permission  subscrib- ers have in the admin section is the ability to change their Profile (name, e-mail, interests, avatar,  and so on).

For complete details on and an up-to-date list of each Role’s Capabilities, check out the WordPress site at http://codex.wordpress.org/Roles_and_Capabilities.

As stated earlier, these are the Roles built in to WordPress,  but one of the powerful  features of WordPress  is the ability to not only add new Roles with their own unique sets of Capabilities, but to also change which Roles have which Capabilities. For example, you may want to give Editors the ability to create and edit Widgets, while still keeping them out of Themes. At the end of the lesson some plugins are mentioned that make use of these functions.

2. Adding A User

You can add a User to a WordPress  site in two ways:

  • A visitor filling out a registration form
  • An Administrator adding a User through an admin screen

The registration form will mostly be used to sign up large numbers  of visitors as Subscribers,  while adding a user yourself through the Admin screen is usually limited to adding a few higher Roles, such as Editors and Authors.

2.1. User Registration Forms

By default,  the registration form is disabled.  You can activate it on the Settings ➪ General screen by checking the Membership box, as shown in Figure 26-1.


However,  the best advice is to leave the automatic sign-up disabled.  If you deal with a lot of mem- bership sign-ups, you’ll probably want to use a plugin anyway,  and these plugins handle the sign-up process in a different manner.  The word membership for that setting is a bit confusing because what you’re setting is the ability for people to register themselves as new users on the system. There is no User role called member and you may or may not think of the users who sign up as members. The wording  on the drop-down menu just below is clearer: New User Default Role. In other words, you’re setting the Role that users will be assigned if they can register themselves, but it’s also the default Role in the drop-down menu when manually  creating new users. By default,  that role is Subscriber.

2.2. The Add User Function

To manually  add a new User to the system, click Users ➪ Add New on the main Admin menu and you’ll be greeted with the Add New User screen, as shown in Figure 26-2.


Only three items are required  to create a new User:

  • Username
  • E-mail address
  • Password

Users can fill in the other details as they choose after they log in for the first time.

Always double-check which role you’re assigning to the User. (The default is Subscriber.)  If you’d like the log in details sent to the User by e-mail, be sure to check the Send Password  box. After users have their login information, they can change or fill in any of the fields on the Profile screen you saw in Lesson 5, “Basic Admin Settings” (except the username).

3. Changing A User’s Abilities

Need to promote a Contributor to Author  status? Tired of another Administrator always switching themes and you want to bump them down to Subscriber?

An Administrator can change any User’s Role from the Users screen, as shown in Figure 26-3 A.


Check the box next to their name, choose a new role from the Change Role To drop-down menu, and click Change.  If several Users need to be changed to the same Role, you can do them all at once by checking the box next to each, and then using the drop-down.

If you have additional information to change, you can do it all from the User’s Profile screen, as shown in Figure 26-3 B. Just below the username  is the drop-down menu for their Role. Select the new Role and click Update Profile.

If you have a lot of users on the site, you can change the number  of users displayed using the Screen Options menu at the top right. In addition, you can filter one particular Role at a time using the links at the top left of the Users screen.

4. Users And Security

Following are three key points concerning  users and security:

  • Choose the lowest possible Role—Don’t make someone an Editor when they just need to be an Author. The higher the Role, the more power you’re entrusting to the User. And if you turn on the self-registration feature,  don’t allow users to sign up as anything  more than Subscriber.
  • Emphasize the importance of tough passwords—You may give new users a diabolical pass- word,  but they can go in and change that later. Impress on them the need to not use natural language words,  and to use uppercase  and lowercase, numbers,  and so on. WordPress  has this reminder  and a strength  indicator that gives users an extra nudge; even better are plugins that force the use of strong passwords. A couple are mentioned  at the end of the lesson.
  • Monitor your users—The unexpected appearance of a User you’ve never heard of with a Role such as Administrator or Editor could be the sign of a hacker. You can quickly check for possible intruders by filtering the list of Users by Administrator or any other Role.

Leave a Reply

Your email address will not be published. Required fields are marked *