Best Role/Capability plugin for WordPress: 7 current plugins reviewed

WP 6 native roles come with a basic structure of user control. Not much of an access management scheme for more complex projects. You can add special roles via the wp codex API but this is sort of inefficient and difficult for non-developers.

The one thing many wish WordPress included natively however, would be content-based access. Meaning to restrict arbitrary users from accessing certain content (by category for example). This is not currently possible with the CMS default structure.


listed from most basic to better/most advanced/most useful

(so scroll all the way down for editor's choice)


User Role Editor is a good plugin just to manage roles and capabilities. It doesn't feature any sort of content-based permissions but I'm linking here because a plugin like this one may be used in combination of another one to achieve our purpose of the day...


User Access Manager (not linked because it didn't work as advertised) claims to allow content-based access by category. Interestingly, instead of changing the WP roles it allows to create role groups. Then you can go into different places such as posts, pages, and even categories and restrict them one by one to certain groups. The problem is that I just tried it and it does not work recursively: I assigned a group to a parent category but the users in roles outside of the group can still access posts in child categories... Not sure if it just doesn't affect posts when selecting categories or if the restriction doesn't propagate to child categories, either way its no good it its present version :(


Members allows you to add/edit roles without using code. It is basically a graphic interface to the roles and capabilities API functions, accessible from 2 new entries under the Users menu of wp-admin. Such basic functionality is available in other plugins, such as User Role Editor. Additionally, Members also provides shortcodes you can add posts-by-post to restrict access to them -- getting us closer to content-based access management. The author promisses to extend the latter for future releases (its version 0.22 at the moment). Members also lets us create new custom capabilities.
Note that any changes made to users and roles using this plugin will remain even after uninstalling it.

s2Member® Framework

s2Member FREE is a very functional system to control content-based user access according to its own concept of Levels or membership tiers. It's intended however to be used as a commercial tool to charge for membership (integrates with PayPal) and has many features that don't really matter to me at the moment but others may really love it. Especially because its extremely well documented, its easy to setup, and it has enterprise-level support. Unfortunately to use it for access control means that everyone needs to register with the site to even read a post... but I'm running a public website!
There's also a "PRO" (paid) version with more flexibility and features.
Note that any changes made to users and roles using this plugin will remain even after uninstalling it.

At least s2Member helped me realize there's various types of content-based access management. What I'm interested in and the reason for this blog post is to limit some of my existing roles (the  back-end users) in their capabilities depending on the content (again, for example by category)..


Advanced Access Manager BASIC has an interesting interface in a new "Access Manager" menu which lets us create/edit/delete roles (and assign them to capabilities). We can also establish special restrictions for any existing role such as menu item visibility and ...drumroll... content based! Yes, there's a "posts & taxonomies" tab in there where you can choose posts (by categories which display as folders), pages, and media (and even media folders, in case you too also using Media Library Assistant). Sadly, while restricting categories does make them and child inaccessible to the role (although the category count is wrong in the list), it doesn't apply to the actual posts in them! -- I'm not going through 2000+ posts one by one.

I'm not linking to this one because after further tests I decided it doesn't work. Assigning taxonomy based restrictions to a role yields unexpected restrictions in others... Another annoyance with it is that some quite useful features (such as restrictions for posts inside categores...) are locked unless you buy AAM Premium... It would also be nice that media attached to restricted posts was automatically restricted. On the other hand, AAM can create new capabilities, and it's the only plugin so far that can be setup (with ConfigPress) to delete capabilities (any, not only the custom ones -- which can be pretty dangerous for your WP). Fortunately, deactivating the plugin removes all special restrictions.

Restrict Categories

Restrict Categories adds itself as an item under the Settings menu. Under its Roles (1st) tab, it allows to select the categories one-by-one or all-at-once (unfortunately no recursive selection) that can be accessed by that role. It doesn't work if you are selecting more than 989 categories :( please fix this... I'm opening a support topic with them.

Role Scoper 

We're down to Role Scoper. This plugin is complicated, not recommended for beginners... As it name suggests, the plugin allows to restrict role capabilities to work only on certain content -- by-category included, and it works recursively (option must be chosen). Again, this one is confusing because it bring into play new abstract, fixed RS roles such as "Page Editor" or "Content Manager" that map to certain (undisclosed) wp capabilities and are described in the "WP Role Definitions" tab of RS Options. To complicate things further you can also activate RS user groups which in turn can be given RS roles for site-wide permissions... Anyway, this is what I did to restricted managing some categories to only some of the back-end users:
  • I first created a new role similar to Editor with another plugin (as of now URE being the best one just for that);
  • I assigned certain users to the new role;
  • (optional) Having a public website: Under the Roles menu, Options (1st) sub-menu, then Realm tab: in the Access Type section I un-selected the "Viewing content (front-end)" check-box;
  • (optional) Selected all the "sync WP [Role] to these selections" check-boxes in the "RS Role Definitions" tab of RS Options -- not sure what this does though;
  • Enabled groups in RS Options, Features (1st) tab;
  • In the Restriction menu, Categories (1st) item: under 1. I chose "Restrict selected roles" and "for categories and sub-categories", under 2. I went to the category of interest (a parent) and selected all the RS Roles except "Post Reader", and clicked the Update button on 3; (Probably because of my thousands of child categories, the page returned was completely blank but I went back to the same category restrictions page and confirmed the changes were applied.)
  • In the Roles menu, Categories item: under 1. I chose "Assign for selected and sub-categories", under 2. I checked the [role] in question (as a group), under 3. I went down to the same parent category as before and checked the same RS Roles.
Understanding exactly what the steps above do is not trivial, feel free to investigate. In the end this whole thing didn't work for me exactly as I wanted it to. The one problem I found is speed. It's very slow when filtering access to many categories and the posts in them, so the lists can take a looong time to load... Happily as with AAM, deactivating the plugin gets things back to normal.
As a funny note, Role Scoper was developed within a religious project you can learn more in its About page. It also has a larger/newer version (it costs) called Press Permit.


So there it is. Nothing seems to work perfectly, or maybe I have to redesign my project (too many categories). Maybe restricting admin access based on content is not the best thing to do with WordPress, It was not designed that way (which is why we shouldn't call WP a CMS). Then again that's probably why they came up with the multi-site WP Network, so consider that option instead if you can still re-start your project or migrate your content.

No hay comentarios:

Publicar un comentario