If you are the only person who manages your site, then you’ve probably never had to think about it. You are an admin and you have access to everything, so what a signed in user has access to has never been something you’ve had to consider. The problem appears when you want to give the ability to manage a website to someone else, but you don’t want to give them any more access than what they need. For example, the content writer should not have access to your customers’ data or sales analytics, right? They don’t need it to do their job.
When it’s not about data, it’s about page security. For an inexperienced user, the number of options in the WordPress dashboard can be overwhelming. Inexperienced users could mess up your design, or even break the entire site (believe me, it happens more than you might think). Anticipate, protect!
The good news is that WordPress and Divi come pre-packed with a number of ways to change what is visible and to who depending on the roles that person plays in the running of your website. In this post, we’re going to dig into this topic and show you how you can use these features to minimise your chances of losing control.
WordPress User Roles: What They Are and How to Use Them?
WordPress has 6 pre-made roles, they are:
Super Admin – has access to all functions, including network features
Administrator – has access to all functions in a single site
Editor – can publish and manage the posts of other users
Author – can publish and manage their own posts
Contributor – can write and manage their own posts
Subscriber – can only manage their profile
How Can I Manage Capabilities?
1. Divi Role Editor
The Divi Role Editor is a built-in feature into Divi Theme. It’s an easy-to-use solution where you can easily enable and disable permission settings for each of the WordPress’s built in user roles, giving you full control over what the client can see and use inside the Divi Builder.
While the Divi Role Editor is a perfectly capable tool for the most part, we’ve struggled over the past few weeks with one issue. Despite the fact that the editors have permission to use the Divi theme options, they did not have access to them.
Have you noticed this issue? Well one solution, and another great way to finetune role permissions is to install a role editing plugin.
2. User Role Editor Plugin – Easy to Manager
The User Role Editor WordPress plugin allows you to change user roles and capabilities in a few clicks. You can add new capabilities and remove unnecessary capabilities which could be left from uninstalled plugins. To read more about ‘User Role Editor’ visit the plugin page.
So far we’ve discussed two options to get granular with what users can and can’t do, so let’s look at one more, and our favorite for overcoming this particular issue. Code.
3. Make Changes to the Functions.php File – Recommended
It sounds complicated, but editing the user roles and capabilities using a function is surprisingly simple.
You need to add a snippet to the functions.php file. Each theme comes with its own functions.php file. If you’re going to make extensive modifications to yours, the best course of action is to set up a child theme so your changes don’t disappear during updates. You’ll also want to back up your site before making any changes, just in case things go wrong and you need to roll back your changes.
Moving on, you’ll need to access your functions.php file.
Use an FTP Client such as FileZilla to navigate to the wp-content/themes/ directory. Inside your activated child theme folder, where you’ll find a functions.php file.
You can also do this in the WordPress Dashboard -> Appearance -> Theme Editor
Choose functions.php file.
Add this snippet at the end of the file, before >? Tag
function add_theme_caps() {
$role = get_role( ‘editor’ );
$role->add_cap( ‘import’ );
$role->add_cap( ‘export’ );
$role->add_cap( ‘switch_themes’ );
$role->add_cap( ‘edit_theme_options’ );
$role->add_cap( ‘manage_options’ );
}
add_action( ‘admin_init’, ‘add_theme_caps’);
And save changes.
How It Works?
Each role is allowed to perform a set of tasks called Capabilities. There are many capabilities, for example “create_sites”, “edit_dashboard”, and “edit_users”.
This snippet will add the capabilities associated with managing Divi’s theme options to WordPress’s Editor role. That means Editors will have access to the Divi Theme Options and Divi Library as was the goal in this case.
If you want to remove capabilities, removing the php won’t work, because user capabilities are saved in the mysql database. You need remove them with the function “remove_cap” to achieve this.
You can learn more about roles and the capabilities they come with from the WordPress Codex: https://codex.wordpress.org/Roles_and_Capabilities
function remove_theme_caps() {
$role = get_role( ‘editor’ );
$role->remove_cap( ‘import’ );
$role->remove_cap( ‘export’ );
$role->remove_cap( ‘switch_themes’ );
$role->remove_cap( ‘edit_theme_options’ );
$role->remove_cap( ‘manage_options’ );
}
remove_action( ‘admin_init’, ‘remove_theme_caps’);
Do you have any questions about user roles or capabilities? If so, ask away in the comments section below!
Hi
I thought this is biased towards divi?
I have different events, job submission page, classified page, free lancer, courses. These are the problems I face,
1) when registered for one event, can login to other events too for free!
2) registered to job submission, but can submit in classified too!
How do I overcome them?
Hi Stephen,
Do you know if the “User Role Editor’ plugin allows for the Divi Customization in the right column please?
It does not show up for me when I view it with the newly created user and I can not see where to control that in the plugin.
Thank you!
Hi there,
The code snippet to remove the capabilities doesn’t work and I’m stuck with all options exposed to the editor role. Please Help!
Hi Flavio, if the code snippet doesn’t work, try to contact Elegant Themes support.
Hi Stephen :).
Thanks for sharing resource :). For my part I prefer to create a new role that I name “Webmaster” and give him all the necessary capabilities that to touch the natives of WordPress ;).
So for that, I add a temporary function in the functions.php of my child theme:
function create_webmaster() {
if (get_role(‘webmaster’)==null) {
add_role(
‘webmaster’,
‘Webmaster’,
array(
‘delete_others_pages’ => true,
‘delete_others_posts’ => true,
‘delete_pages’ => true,
‘delete_posts’ => true,
‘delete_private_pages’ => true,
‘delete_private_posts’ => true,
‘delete_published_posts’ => true,
‘delete_published_pages’ => true,
‘edit_others_pages’ => true,
‘edit_others_posts’ => true,
‘edit_pages’ => true,
‘edit_posts’ => true,
‘edit_private_pages’ => true,
‘edit_private_posts’ => true,
‘edit_published_pages’ => true,
‘edit_published_posts’ => true,
‘edit_theme_options’ => true,
‘export’ => true,
‘manage_categories’ => true,
‘moderate_comments’ => true,
‘publish_pages’ => true,
‘publish_posts’ => true,
‘read’ => true,
‘read_private_pages’ => true,
‘read_private_posts’ => true,
‘unfiltered_html’ => true,
‘upload_files’ => true,
‘level_7’ => true,
)
);
}
}
add_action( ‘admin_init’, ‘create_webmaster’ );
And BTW, I have a happy customer and a relax back-office management ;)…
All the best,
Pierre.
Will the functions.php remove capabilities solution also work for unwanted pages, like the ‘Projects’ page which nobody seems to use, but which can’t be removed by default?