With the availability of drag-and-drop editors, customisable content workflows and plugins and themes that can play to any content whim, WordPress is undoubtedly the most preferred CMS to publish content .
Your content is your showcase. That content tells the world about you, your business, or your organization. That content is important!
So if you’re using WordPress, you will need to grant access to your wp-admin to different users to improve and contribute to your site. But you need to exercise caution when it comes to assigning access. You should give Admin access only to those who you fully trust with your website content and data.
In this article, I’m going to show you how you can control who edits your WordPress posts. We will understand the default WordPress user permissions and how you can customize those permissions for specific roles and users. We’ll also see how you get really specific and choose the editing permissions for individual posts.
The Default Editing Setup in WordPress
Let’s get started by examining a new WordPress site. For many people, the default WordPress permissions are enough to control access to their content. A new WordPress site arrives with five user roles.
Each role has more permissions than the previous role.
- The Subscriber role is the lowest in this hierarchy and has very few permissions. The Subscriber role is really designed for people who want to log in to your site, add comments, and do little else.
- A Contributor, can edit and delete only their own unpublished posts.
- An Author can edit their own posts, even after they have been published.
- An Editor has access to edit anyone’s posts.
- Finally, Administrators can go anywhere and change anything on your site.
To help you visualize the roles, here is a chart showing the differences between the roles. You can see the roles across the top of the chart and the permissions on the left side of the chart.
So let’s talk specifically about editing permissions. What permissions do these users have for editing posts?
- Subscribers can login to the WordPress admin area and write comments.
- Contributors can write posts but they can’t publish them.
- Authors can write, publish and edit their own posts.
- Editors and Administrator can write, publish and edit any posts.
So, by default, Subscribers and Contributors have zero editing permissions. You can only edit content if you are in the Author, Editor or Administrator roles. And even then, the Authors are locked down to editing only those posts that they have written. If you don’t have editing permissions for a post, you can often still see posts in the WordPress admin. However, you will only see a “View” link, as in the image below:
In comparison, if you do have full editing access, you will have “Edit”, “Quick Edit”, “Trash” and “View” links as shown in the image below.
So what does this mean for editing? If you want to allow users to edit posts, you need to place them in the Author, Editor or Administrator roles. Anyone who is not in these roles will not have editing access for any posts. If these choices don’t work for your site, it’s also possible to customize WordPress editing permissions. Let’s see how that’s done.
How to Change the Default Editing Permissions?
In this part of the tutorial, we’ll see how to give users more permissions than they have with a normal WordPress site.
The Capability Manager Enhanced plugin is an excellent way to view and change the permissions for each user role. This is a popular plugin with over 80,000 active installs.
After installing Capability Manager Enhanced, go to Users > Capabilities in your WordPress admin menu.
This next image shows the permissions available to Subscribers. There are permission rows for editing Posts, Pages, Media, Categories, and Tags. Remember that the Subscriber role is the very lowest in WordPress. As you can see, by default, Subscribers are not allowed to do anything with content at all!
If you do want to give Subscribers a boost in permissions, consider giving them the Edit Posts permission. This allows them to write and edit Posts although they won’t be able to publish them. Inside Capability Manager Enhanced, you can check boxes to give Subscribers extra permissions. To give Subscribers the ability to edit posts, check the boxes in the “Edit” column. These changes will impact every user in the “Subscriber” role.
In the next part of the tutorial, we’ll show you how to change editing access for specific users, rather than entire roles.
Allow Specific Users to Edit a Post With Authors
If you need to customize editing access on a per-post basis, there are multiple options available.
Option #1 is to take lower-level users and make them the Authors of a post. Don’t get confused by the “Author” role we saw earlier – this is a different WordPress feature.
Inside each post, you can choose an Author. This is the person who will be shown as the creator of the post. It also gives the user special editing access to this post. Even if their role doesn’t normally give them editing access, they will get it for this post if they are the author:
If you want to give more access to more than one author, you can use the Multiple Authors plugin. WordPress only allows you to add one author post, but this plugin provides a workaround.
When you have Multiple Authors installed, the simple “Author” dropdown will turn into a multi-select field. This allows you to choose as many authors as you wish. All of these users will get editing access to this post:
It is worth noting that, no matter how many authors you have, only one person can be editing a post at any time. There are attempts to bring Google Docs-style collaborative editing to WordPress, but we may not see that feature for several years.
If you try to edit a post at the same time as another user, you’ll see the message, “This post is already being edited.” You can either leave the post, or ask the other person to stop editing.
However, there are some downsides to using the Author approach. In particular, you may be adding users who really are not the genuine Authors of the post.
If you want a less hacky solution, I recommend the PressPermit Pro plugin which truly gives you the ability to control editing access on a per-post basis.
Allow Specific Users to Edit a Post With PressPermit Pro
Let’s take a closer look at the PressPermit Pro plugin. This is probably the most flexible permissions plugin in WordPress and it allows us to specify who can edit posts.
1) Once you have installed PressPermit Pro, head over to the main “Posts” screen. Select your post that needs custom permissions.
2) After that, go to the bottom of the screen – here you can see the “Editing Exceptions” box. This image below shows the “Editing Exceptions” box. Using this box, you can give editing permissions to everyone in a user role. Or you can do the opposite and deny editing access to a particular user role.
3) For this tutorial, let’s imagine you want to prevent editing on this post. I recommend changing the “Editor” access to “Blocked”, as in the image below. Now, only users in the Administrator role will be able to edit this post.
However, you don’t need to rely on roles. Thanks to PressPermit Pro, you can also drill down to give or remove editing access for individual users. Here’s how it works:
- Click the “Users” tab.
- Search for the users who you will be able to edit this post.
- After that, choose the users on the left side.
- Click the “Select” button.
- In this example, I’ve given editing permissions to “goldner.tomasa” and “rherzog”.They are marked as “Enabled” on the right side of the screen.
- If I want to give access to “abdiel26”, I can select their username and click “Select”.
So that’s probably the best way you can use to allow a small group of users to edit a single post together. Using PressPermit Pro avoids using the Authors feature and allows you to focus only on editing permissions.
PressPermit Pro works with any post type. PressPermit Pro also offers more advanced and flexible ways of grouping users together and giving (or denying) editing access.
In this article we learnt about the different user roles and how you can customise them using certain plugins. We saw that you can also customise the setup to give per-post editing access using the Authors feature on WordPress or using PressPermit Pro. However, one thing remains constant – you will always have to give other people access to your site. This access if not moderated can be misused. Your WordPress Login URL can be changed, your content can be modified or duplicated etc.
And that’s where the need for firewall protection comes. A protective firewall not only monitors your traffic requests but can also give your wp-admin login protection. For example, the MalCare plugin uses Captcha-based protection that limits the number of login attempts and prevents bots and hackers from accessing your site. It also makes a note of all instances of unauthorised access to your wp-admin.
When it comes to your content, there is no doubt that you need to protect it. By carefully assigning user roles, you can maintain the quality of content and protect it from misuse. Afterall, the content of your site is what your visitors see. You wouldn’t want to give anyone access to mess with that!