WordPress comes with the ability to create different users for your website. Each of these users can have different roles and different capabilities to perform tasks on your website. You can have users which are allowed full control over everything on your site, install plugins, install theme, edit posts, upload media, everything. At the other end you can have users that are only allowed to view the posts on your website. WordPress starts with 6 default roles:
- Subscriber
- Contributor
- Author
- Editor
- Administrator
- Super Administrator
Each of these roles have different security access in Wordpress, some can just read posts, some can write posts but not publish them and others have full access to the Wordpress site. ### Subscriber
This is the lowest level of Wordpress users and can only view their own profile and only read posts on the Wordpress site.
Capabilities
- read
Contributor
A contributor is a user that can write their own posts but they are not able to publish them on the site. This is the ideal role to have for guest posters, it allows them full control to write the post but can't be published without the editor approval.
Capabilities
- delete_posts
- edit_posts
- read
Author
The author is the next level up from the contributor, they are able to have full control over their own posts but they have access to publish the post to the site.
Capabilities
- delete_posts
- delete_published_posts
- edit_posts
- edit_published_posts
- publish_posts
- read
- upload_files
Editor
The editor role is someone who can write their own posts and manage each of their own posts but they can also manage all the other posts on the site by any author.
Capabilities
- delete_others_pages
- delete_others_posts
- delete_pages
- delete_posts
- delete_private_pages
- delete_private_posts
- delete_published_pages
- delete_published_posts
- edit_others_pages
- edit_others_posts
- edit_pages
- edit_posts
- edit_private_pages
- edit_private_posts
- edit_published_pages
- edit_published_posts
- manage_categories
- manage_links
- moderate_comments
- publish_pages
- publish_posts
- read
- read_private_pages
- read_private_posts
- unfiltered_html
- upload_files
Administrator
This is the main role for the site and can have full control over the site, change theme, plugins, write posts, read posts, delete posts they can do what ever they want.
Capabilities
- activate_plugins
- create_users
- delete_others_pages
- delete_others_posts
- delete_pages
- delete_plugins
- delete_posts
- delete_private_pages
- delete_private_posts
- delete_published_pages
- delete_published_posts
- delete_users
- edit_dashboard
- edit_files
- edit_others_pages
- edit_others_posts
- edit_pages
- edit_posts
- edit_private_pages
- edit_private_posts
- edit_published_pages
- edit_published_posts
- edit_theme_options
- export
- import
- list_users
- manage_categories
- manage_links
- manage_options
- moderate_comments
- promote_users
- publish_pages
- publish_posts
- read_private_pages
- read_private_posts
- read
- remove_users
- switch_themes
- unfiltered_upload
- upload_files
Super Admin User
The super admin user is for multi-site Wordpress installs, this user has all the capabilities as the admin user but can also create new sites, network themes, network plugins and network users. - manage_network
- manage_sites
- manage_network_users
- manage_network_themes
- manage_network_options
Even with all these different access in the admin area all the users will login to the same location and will see the same dashboard screen when they login. But because they have different access then you might want them to go to different locations in the admin area. The following code will allow you to redirect users to different locations depending on what level access they have. To change the redirect location you need to use the WordPress filter of login_redirect.
function redirect_home( $redirect_to, $request, $user )
{
return home_url();
}
add_filter( 'login_redirect', 'redirect_home' );
The return of this function will be the URL that we redirect to after the user has logged in. The above example will redirect everything back to the home URL.
Only Allow Admins Into The Admin Area
If you want to redirect all users to the home page except for the users which have administrator rights then you can use the following code.
function only_admins_login_area( $redirect_to, $request, $user ) {
global $user;
if ( isset( $user->roles ) && is_array( $user->roles ) )
{
//check for admins
if ( in_array( 'administrator', $user->roles ) )
{
// Redirect to default admin area
return $redirect_to;
}
}
return home_url();
}
add_filter( 'login_redirect', 'only_admins_login_area', 10, 3 );
Access wp-admin
The problem that you will find with the above code is that it will only stop users accessing the admin area when they log in because of the login_redirect filter. If the user would then navigate to www.example.com/wp-admin/ they will be able to access the admin area, this means that you will have to do further checks on the admin area to make sure that users with certain roles can not access the admin area.
function redirect_user_on_role()
{
global $current_user;
get_currentuserinfo();
//If login user role is Subscriber
if ($current_user->user_level == 0)
{
wp_redirect( home_url() ); exit;
}
//If login user role is Contributor
if ($current_user->user_level > 1)
{
wp_redirect( home_url() ); exit;
}
//If login user role is Editor
if ($current_user->user_level > 8)
{
wp_redirect( home_url() ); exit;
}
}
add_action('admin_init', 'redirect_user_on_role');