WordPress Roles Explained

WordPress comes with a number of inbuilt user roles to control what registered users can do when they login to your blog.  I want to explain the various roles available and what capabilities each type of user will have.

There’s Just Me, Why Do I Need Roles?

If you are a lone blogger who does all the writing and administration themself then you only need two types of user;  readers who do not login and therefore don’t need a role and an administrator.  This posts is probably not for you, but if this is your scenario, there are a couple of things I recommend:

1. Disabled new user registration to keep y0ur blog watertight, this can be done from the Wordpress dashboard -> settings -> general and uncheck anyone can register
2. Change the default displayed name of the admin account from admin to your own name.  This is done from  dashboard-> users ->edit the admin account -> complete first name and last name, then from “Display name publicly as” set your full name.  This just makes the blog more personal instead of a sterile person called admin writing all of the posts.

I Want a Publishing Empire Tell me About Roles.

When you create additional user accounts on your blog, you can then assign a user to a role, there are five roles subscriber, contributor,  editor and administrator.  Each has an increasing level of permission to perform actions (know as capabilities) on your site.

This post will take you through each role and it’s capabilities.  I will start with the least privledged and build up a profile of the additional things each level can achieve.

How Are Roles Assigned

By default all new users created on your blog will be subscribers, an administator level user then need to edit the user and assign it a new role.  This is done from the dashboared -> users -> authors and users -> edit the required user -> from the role drop down, set the user level.

Subscriber

Subscribers have the ability to read your blog posts.  This is the same level as unregisters readers and visitors to your blog so why do you need a role for this?  The answer is you may not need this level, but some blogs have featured available only to logged in and registers users.  Some of those may be:

• To leave comments, this is a spam control procedure
• To see certain posts
• For a private blog where only registered users are granted access, and creation of the users is left up to the administrator

There are various plugins which require a subscriber role so out of the box the subscriber role may not seem neccessary, but each installation is individual.

Contributor

Moving up the scale contributors are at a level where they can create content on your blog.

The contributor can read posts, create and edit posts from the dashboard.  They can also delete their own posts which have not been published.

The point to note about contributors is that they can create draft posts but cannot publish them.  A more trusted user level is required to edit and make the post publically available.

Author

An author is a more trusted level of contributor, they have all of the permissions of a contributor, but they can also publish their own posts, delete their own published posts and also upload files to add to posts e.g. images to include in posts or videos to play within a post.

Authors only have control over their own content, other authors and contributors posts can be read but not edited or ammended.

Editor

When we reach an editor level we move into site wide permission territory.  As the name suggests editors have control over other users content to publish delete and create new posts, but an editor can also created amend and delete pages, have access to, and control over posts marked as private.  Check out the visibility of a post it can be public, password protected or private, only editors and above can see private posts and pages.

Editors can create categories, and blog roll link entries, moderate comments and even create and amend new users.

Editors are trusted members of your organisation, they can effect your blog at a fundemental level.  What they cannot do is change the look and feel of the site, for that we need an ….

Administrator

The admin level user is the super user for the site, along with all of the other capabilities discussed above, they can change the theme, upload and install plugins edit users and modify the look anbd feel of the dashboard.

Control of who is an administrator of your site is crucial for a secure site, harden the password and condider changing the login ID to something other than admin.

A last Word on Roles and Capabilities

If you have multiple people contributing to your site, make use of roles, assign them the minimum permision required to get their job done, you may have scrupulous procedures to safeguard your passwords, but do your contributors?  You may trust them but making them an admin level users when all they need to do is upload their post for editing is just creating a security loophole on your site.

Further Reading

http://codex.wordpress.org/Roles_and_Capabilities#Roles

---

Related Posts

• Blog Security: Part 1 Physical Access

How To Use WordPress As A CMS

Did you know that WordPress can be used as the content management system (CMS) for “real websites”? I want to take a look at how post and blogging functions of WP can be repackaged to work as a back end content creation management and placement system for a traditional non-blogging web sites.

I have worked with professional CMS tools from companies such as IBM which cost tens of thousands of dollars per processor not per license, and in my opinion, a certain level of this can be done with humble, free WordPress.

What Is The Difference Between A Blog and A CMS

A blog publishes posts in reverse chronological order usually with a list of previous posts available to read from the front page, whilst a CMS is a system to create content easily and then publish it in a predefined section of a web site.

For example all news articles will appear in a news section of a site, all special sales offers may appear on the front page. It’s all about easily creating content and pushing it to it’s predefined location on the site.

Static Home Pages

If you are building a CMS the likelihood is that you will not need a series of blog posts on your front page, rather you will have a static front page and have content or posts pushed into their own container.

WordPress allows you to change the front page of your site to do exactly this. From your dashboard goto settings -> reading, and you will see the following options:

Change the setting from your latest posts to a static page, create a page with your home page content and you are good to go, it’s as easy as that.

CMS Theme

The selection of your theme will probably make or break your CMS installation. You are looking for something with lots of sidebars into which you can push content. The task will be made easier if the theme is widget ready.

Check out the Wordpress theme directory at http://wordpress.org/extend/themes/, you can search for themes by the number of sidebars and widgetization (is that a real word?). Your other options are to buy a premium theme or have one tailored made for you by a theme designer. A search on google for CMS wordpress theme will return a large number of pre-made themes ready to act as a CMS.

The use of the term sidebar is a bit of a misnomer, think of a sidebar as a slot into which you can place widgets. An example of this misnoner can be seen on my site, I have four sidebars in my configuration, and only one runs down the side of my site, the other three are in the footer.

Organise By Categories

Once you have a static front page and a theme of your choosing you need to start pushing content into its correct container. I think the best way is to orgnanise your content is by category.

For example you may have a section on your site for your sales team, put all of their content into a wordpress sales category, this can then be extracted and published to the correct location using the techniques outlined below.

Widgets to Push the Content

Once your data is categorised, you can then use widgets to position your content. Using the “list category post” widget you can push a list of posts from a particular category in your sidebars.

This is done from your wordpress dashboard -> appearance -> widgets, then drag and drop your widgets onto the appropriate sidebar.

Plugins to Organise Content

You may want to position content in locations where widgets don’t easily work, for example you may want a static page called news into which news items about your organisation are displayed. To do this there are a number of plugins out there, the one I use is Sobek’s post In Category plugin. Using this I can pull all of the posts in a particular category and display them as a linked list for people to click through to the acutal post. These can be shown on pages or posts.

Using plugins in this fashion allows you to extend the WordPress page function to act as a new container for content.

User Management

You may want your CMS to be updated by many people, WordPress has the functionality to allow multiple authors and editors of your content. Using the roles built into WP you can allow people to write content but not publish it, create editor level users who have the permission to edit and then publish the posts.

Full details of the roles available can be seen at http://codex.wordpress.org/Roles_and_Capabilities the roles are fairly granular so control over what your contributors can or can not do is available to you.

Controlling Who Sees Content

Another function of a CMS is controlling how can see which content, with the addition of a plugin or two, WordPress can do this .

For example you may have a customer only area on your site where they can read order information. Using the user management functionality areas of your CMS could be password protected.

Check out my post How To Integrate Paypal with Your Wordpress Blog whilst this is about monetising your site with paypal, it also discusses the various membership site plugins available. Using these type of plugins you can create login IDs to protect certain pages or posts making them available to a subset of your site users.

Time Delayed Posts

Using the scheduled posting function of WordPress the site can be updated at set times. An example of this may be a sale. Write up details and set the post to appear in the appropriate container when the sale begins.

Check out my post Write Now Post Later for the mechanics of this process.

Removing Old Content

You may find that you want to add content to the site then remove it when it is not valid, not like us lazy bloggers who just want to pump out more and more content and leave it online for posterity. Using the post editor, content can be marked as draft or deleted very easily to make visible or remove content on the site.

When Is A Blog Not A Blog

.. when its a CMS, WordPress is not just a blogging tool it can be used to update and present content on a traditional more static site. Your usage of WordPress as a CMS is limited only to your imagination for organising content into containers.

I hope this posts has prompted you to think of WordPress as more than just a blogging tool.

Examples Of WordPress as A CMS

I put a call out on twitter to find out who was using WordPress as a CMS, here is a list of sites configured in this way, have a look and get inspiration.

• http://www.morethanadmin.ca/
• http://www.maestroquality.com/
• http://www.ogagym.org/
• http://simmsfurniturewarehouse.com/

Special thanks to Charlene Polanosky, she not only sent me links to sites but detailed desciptions from her own site on building sites using WordPress as your CMS

• http://essentialkeystrokes.com/project-files-wordpress-as-a-cms-comes-through-again/
• http://essentialkeystrokes.com/project-files-using-wordpress-as-a-cms/
• http://essentialkeystrokes.com/project-files-using-wordpress-to-build-a-traditional-web-site/
• http://essentialkeystrokes.com/project-files-is-that-really-wordpress/

Planning To Use WordPress as Your CMS?

If you need some assistance making WordPress work as your CMS, please visit my WordPress coaching page.

---

Random Posts

• Time Travelling With WordPress
• What’s This WordPress Turbo Stuff
• Keep Your plugins up to date
• How To Change the Order of Your WordPress Pages

WordPress 2.8.1 Released

When you logged into your blog today, you probably saw a new banner running across the top like this:

This is an announcement that the latest version of WordPress is available for you to download and install.

This release is a bug fix to the version 2.8 release which was sent out about a month ago.  Here is a link to the fixes and changes available in this new version just in case you are into that kind of thing http://wordpress.org/development/2009/07/wordpress-2-8-1/

With this in mind I thought I would link up all of my posts on updating to the latest version of wordpress.

Please remember to backup thoroughly before you upgrade.

• http://wpdude.com/shoud-update-version-wordpress
• http://wpdude.com/wordpress-271-upgrade
• http://wpdude.com/plugin-review-backup-plugins

---

Random Posts

• WordPress Membership Plugins
• Plugin Review: After the Deadline
• How To Integrate Paypal With Your Wordpress Blog
• Keeping Your Blogs Momentum During A Vacation

CASE STUDY: When Comment Spam Bots Kill

Gather round the camp fire kids, I have a scary tale to tell.  It’s a story from a sci-fi nightmare of crazed bots running amok in the blogosphere.  I call the story “When Comment Spam Bots Kill” .. da-da dahhhhh!

I was working with a client recently who’s WordPress blog was killed by comment spam.  I thought I would write it up and give you some tips to stop this happening to other blogs.

The Problem

My clients database was stuffed full of comments, when I looked at the issue there were more than 140K comments in the moderation queue.  This was exacerbated by a plugin called BAStats which was creating log entries for all activity, this table had over 1 million entries.

The blog was running on a standard hosting installation the database was just too big and cumbersome.  As as result whenever anyone tried to access the front end, they were timed out, a database connection could not be made, and if anyone tried to access the backend dashboard the same happened, the blog was unreadable from the fron end and unmanageable from the back end, a pretty pickle to be in.

A review of the comments from the backend database showed them to be comment spam, someone was running a comment spam bot to inject huge numbers of spammy links into the system.

phpMyAdmin

I am going to talk about phpMyAdmin and modifying backend database a lot in this post, so I thought a quick note on phpMyAdmin was in order.

phpMyAdmin is a MYSQL admin tool which allows you to perform functions on your database.  You will probably find this on your hosting control panel.

This is a GUI tool which allows you to tweak your database, it is not for the faint hearted, you can do real damage if you don’t know what you are doing, you have been warned!

The Solution

I disabled the BAstats plugin by renaming all of the php files , I could not do this from the back end because I could not log in.  Using my ftp client I navigated to the plugin directory and manually renamed the php files so they were not called.   This stopped the stats package from working and reduced load on the database a little giving me some breathing space.

The next step is a little radical, but it was all I could do, and that was to delete all comments in the moderation queue.  First I made a backup of the table wp_{prefix}_comments, then ran the following SQL command from within phpMyAdmin.

delete from wp_{prefix}_comments where comment_approved=0

This is a radical approach which will delete all comments held in the moderation queue regardless of whether they are spam or ham (good comments).  My client felt is best to start a-fresh with no comments held for moderation.  The query removed all of the comments held for moderation.

As a final step I also disabled comments on the blog temporarily to prevent further comment injection.

Preventative Measures

That fixed the problem, the front and back end were now accessible, but I felt preventative measures were in order to stop the issue re-occuring.  I delved into the backend.

The route cause of the problem was that spam capture was disabled.  Akismet was not automatically deleting and spamming comments.  I re-enabled this and ran the “check for spam” routine, another couple of hundred approved comments were spammed.

Do you remember I said that I disabled commenting, spam comments were still coming in!  My client was running an old version of WP and I suspected that a spam bot script was pushing comments into a WordPress vulnerability or plugin loophole, my recommendation to my client was to upgrade to the latest stable version of WordPress and to download and reapply the plugins they used only from legitimate sources, in the hope of sealing teh vulnerability.  This is in progress.

Your Reputation Is In Danger

There is a long term danger if you do not moderate your comments well, and that is loss of reputation through your page rank.  Your site will be demoted and traffic may dry up.

A real life analogy is if you start hanging with the dangerous kids at school smoking, taking drugs and bullying kids, you will be marked as one of these type pf people.  The same goes if you give out a link to a dodgy site, you are seen as giving them an endorsement and your site is marked down.

Wrapping Up

Moderate brutally, keep your comment spam plugins in place, tighten up your moderation policy and give my posts on comment spam a read: What is Comment Spam and How To Control Your WordPress Comment Spam

---

Related Posts

• What Is Comment Spam?
• How Do You Solve A Problem Like a Plugin
• CASE STUDY:Redirection Problems Using Wordpress Options
• CASE STUDY: Password Reset Not Working