WordPress CMS (content management system) is getting much more popular over past few years because of its simplicity however it is not as simple and intuitive when it comes to manage access to WordPress website. From this documentation you will learn from the inside-out all you need to know about WordPress core and how to manage access to it with AAM plugin.
Some sections may have highlighted paragraphs with three different colors based on the user’s experience level and a warning message.
Green color - absolute beginner or end-user without any programming knowledge
Yellow color - experienced website administrator who familiar with FTP, databases etc.
Dark blue - expert with PHP programming knowledge
Highlighted Red - important notification (warning)
AAM is the free WordPress plugin that hosts in the official WordPress plugin repository. To install it, simply go to your website WordPress backend area and navigate to the Plugins->Add New. Here you can search for Advanced Access Manager and install it on your website.
Please Note! AAM is WordPress plugin, so you need to have already WordPress CMS installed in order to use it.
Upon AAM activate, no additional steps are required. You will be able to find the new AAM menu item in the main Admin Menu sidebar.
AAM is quite complex plugin with over 100 different features however most of our development time we spent to create intuitive and easy-to-use UI to maximize your efficiency.
The UI interface is divided into 6 distinct areas that are designed to either display important information or to give you ability to perform some specific set of actions. There are also several pieces of functionality that go beyond the AAM page and are integrated with WordPress UI like Access Manager Metabox or Access Link.
The Subject in AAM terminology is general name for any user role, individual user, visitor or default access to everybody. Other words the Subject is who you manage access to.
Each time you change subject on the Users/Roles Manager area, the current subject banner is adjusted accordingly. This gives you the visual confirmation for who are you managing access to.
The current subject can be highlighted with two colors. The red color means that you are managing access to the highest allowed user level or to the default access for everybody. That is why be careful as you can accidentally restrict access to your user. Additionally the entire AAM page will have the light red background.
Notice! Access to AAM UI is customizable and you can grand access to certain features for anybody who is registered on your website. For example you can give ability for your Editors to manage access to Posts & Pages. In this case Editor role will be the highest allowed role and it will be highlighted with red color. For more information about this feature please check How to manage access to AAM page for other users article.
The blue color indicates that you are managing access for role or user that has lower user level than you do.
AAM is highly customizable plugin. There are multiple ways you can alter its behavior and the easier one is through the Settings Area.
The layout here is similar to the Main Panel where all settings are grouped based on the logical meaning. Here you can find the most widely used settings.
Please Note! It is strongly recommended at least to glance through the list of all available settings because they can help you to significantly improve your website performance. WordPress, inherently, was not designed for advanced customization. That is why some AAM features may reduce your website performance and if you do not use resource consuming features, you can disable them.
Users/Roles Manager is the place where you can manage list or roles, users and switch between Subjects (who are you managing access to). It has a lot of neat features and they all are described in-depth in the Users/Roles Manager section.
By default every post, page or custom post type will have additional metabox added to the edit screen that allows to manage access to it for any user, role, visitor or default access to everybody for both frontend and backend.
To be truly expert in the WordPress access management, you would have to be aware about all the conceptual and functional pieces that collectively create WordPress core. As it was mentioned in the UI Overview section, AAM is just the very useful plugin that you can use to customize your website access.
That is why it is strongly encouraged to read through all core concepts to get better understanding of how WordPress CMS works and how AAM can be used to manage it.
WordPress is based on the hybrid of Role-Based Access Control (RBAC) and Access Control List (ACL) models. It is designed to give the ability for a website owner to control what other users can or cannot do based on the assigned role. On other hand, it also has the limited ability to customize access for a specific user (this part is explained in-depth in the What is a WordPress user article).
It is very critical to understand the WordPress Roles & Capabilities as it is the core concept in access management. With that knowledge you are capable of creating complex membership platforms or simply manage access to restricted parts of your websites with little to no effort.
By default, the WordPress website has Administrator, Editor, Author, Contributor and Subscriber roles. The crucial difference between them is in the amount of assigned capabilities that sometimes is mistakenly referred to “user or role level”.
The User Levels concept was introduced to the WordPress 1.5, replaced with Roles and Capabilities in 2.0 and finally announced as deprecated in 3.0. In the current WordPress implementation, the user levels are represented as the list of capabilities level_0 to level_10 and they do not have any impact on the user permissions.
WordPress comes with straight-forward user management functionality. You can create unlimited number of users and delegate different responsibilities based on the assigned role.
List of all users can be found in the backend on the All Users page, however it is accessible only for users that have list_users capability.
The default WordPress functionality does not support the idea of user status. Every registered user is considered as active however with AAM you have the ability to deactivate users without actually deleting them. For more information about this please check What is a WordPress user article.
Anybody who is not authenticated (logged in) is a visitor. Typically they have access only to the frontend side of a website and have limited abilities to interact with frontend features.
WordPress core has almost no tools to manage what visitors can or cannot do on the frontend side however AAM has a lot of features that you can utilize to manage access not only to the frontend content and widget but also access to the entire website.
Capabilities is the core concept in the WordPress access management as it literally defines what authenticated user is authorize to do. However it is important to emphasize that it is heavily utilized for the backend side of a website.
The Roles & Capabilities article is probably the best reference for all predefined core capabilities that come with default WordPress installation.
Frontend is the publicly facing part of the WordPress website. Typically it is rendered by the active theme and consists of pages, posts, categories widgets and menus.
WordPress core does not have any abilities to manage access to it however AAM has a lot of neat feature that can be used. You can manage access almost to every part of your frontend. For more information please refer to the What is the WordPress frontend article.
WordPress hooks is the subject of interest to developers rather than none technical users however it is beneficial to understand the concept because majority of customization is based on hooks.
Hooks are programmatic actions and filters that can be used by developers to “hook into” some core WordPress functionality. For example AAM hooks into the functionality that retrieves the list of posts from the database and filter out all posts that are hidden for currently authenticated user or visitor.
The User Activity extension uses hooks concept to listen to different events triggered by user actions and stores all related information and shows you the detailed report when requested.
There are few core WordPress functions that developers can use to register new hooks. Internally they are executed the same way with the only difference in return result. The add_action function does not return any result while add_filter action has to return the input value either unmodified or modified, otherwise it will break the chain of functions that may hook to the same event. It is also important to pay attention to the priority attribute as lower priorities are executed first.
A lot of access management tasks cannot be accomplished just with roles and capabilities that is why you may noticed that developers refer to different hook that can be utilized to accomplish desired objectives. Please do not hesitate to contact as with questions if you not sure how to accomplish some of the tasks and we are more than happy to help you out.
WordPress posts can be grouped together with taxonomies and there are two different types: hierarchical and tags
For example post category is the hierarchical taxonomy and you can create a complex tree of categories with sub-categories. However post tags are linear list of tags that can be assigned to a post.
AAM works only with hierarchical taxonomies and greatly enhance your ability to manage access to large amount of posts that are grouped. For more information about the taxonomy check What is a WordPress taxonomy article.
AAM has the most sophisticated access settings inheritance mechanism that is available online for the WordPress CMS. It takes in consideration all WordPress core relationships between website resources. Under resource we mean any post, taxonomy, user, role, menu, metabox etc.
With Role Hierarchy extension you can even create a hierarchical tree of WordPress roles where all child roles inherit settings from parent.
It is very important to understand how it works because with this knowledge you have endless possibilities. Within minutes you can create a complex membership portal that typically would cost you thousands of dollar to implement from scratch.
AAM comes with internal caching mechanism that stores results of access settings inheritance for posts and terms as this is the most time and resource consuming procedures due to access inheritance mechanism.
Please do not get confused. AAM cache has nothing to do with any website caching plugins or WP Fast Cache or WP Super Cache. It is also not a PHP Opcache or Memcache. You cannot enable or disable it however you can clear it on the Settings tab.
It is important to emphasize that cache is stored per each individual user separately and is automatically cleared if user's role is changed. It is also automatically cleared if any changes detected for post's parent hierarchical term or to term itself however in this case the cache is cleared for all existing users and visitors.
One of the most popular features that AAM offers is the ability to restrict access to the Backend menu items. AAM not only filter out restricted menus and submenus but is also restrict direct access to them.
Another useful feature that comes with basic AAM plugin is the ability to manage list of metaboxes and widgets on both frontend and backend.
Metaboxes and widgets are parts of the backend and frontend, designed to do very specific tasks. You can find metaboxes on edit post, page or custom post type pages. For example "Publish", "Categories", "Custom Fields" etc. are metaboxes. Widgets typically are rendered either on the Home page of the admin Dashboard or sidebar of the website frontend.
This is the most powerful and also very sensitive part of the entire website. Be careful because you can easily loose control over your website or restrict group of users from doing critical tasks without even noticing that.
On this tab you have absolutely all necessary tools to manage list of capabilities for any role or even individual user.
AAM plugin has the most powerful and sophisticated set of tools to manage access to the website posts, pages, media, custom post types, categories and custom taxonomies. Flexible inheritance mechanism and multiple levels of default settings makes AAM the best content management plugin that is available for the WordPress CMS.
Hide any post on the website frontend or backend. AAM will filter out selected post from all menus or lists however it can be accessed with direct URL. For example, you can hide the page "Sample Page" for all users with the Subscriber role but if user has direct URL to the page, he will be able to access it.
The LIST access option may impact the website performance that has large amount of posts. AAM has several optimizations implemented that minimize the impact like internal AAM caching or post access indexing. It is strongly recommended to disable this feature with Check Post Visibility option if there is no need to hide posts.
With Plus Package extension access control is also available for taxonomies or you can even setup default access to any registered post type (e.g. Posts, Pages, Media etc.).
Similar to the LIST option however the post is hidden for everybody except the author (whoever created the post or was assigned as author). For example if John Smith created the post "Introduction to AAM" then only John Smith will see it on the website frontend or backend while for other users and visitors it is hidden.
Note! Due to the nature of the AAM access inheritance mechanism, the LIST TO OTHERS option should be check only on the Default Access level. This way all the roles, users and visitors will automatically inherit it unless overwritten.
Note! If LIST TO OTHERS and LIST options are both checked, then AAM disregards LIST TO OTHERS option and the author will not see his own posts.
Restrict access to read the post. If LIST option is not checked, then the post is still listed on the website frontend but direct access to it is restricted. Any attempt to access the post will be denied and user will be redirected based on the Access Denied Redirect rule.
Similar to the READ option however the post is restricted for reading and viewing for everybody except the author (whoever created the post or was assigned as author). For example if John Smith created the post "Introduction to AAM" then only John Smith will be able to read it on the website frontend while for other users and visitors it will be restricted.
Note! Due to the nature of the AAM access inheritance mechanism, the READ BY OTHERS option should be check only on the Default Access level. This way all the roles, users and visitors will automatically inherit it unless overwritten.
Note! If READ BY OTHERS and READ options are both checked, then AAM disregards READ BY OTHERS option and the author will not be able to read his own posts.
Define how many times the post can be opened to read, view or download. This option is available only for authenticated users as there is no really secure way to identify visitors.
After user reaches defined threshold, access to post will be denied and user will be redirected based on the Access Denied Redirect rule.
The read counter increments right after the threshold is set. The counter is stored in the wp_usermeta table as aam-post-[post-id]-access-counter meta key. There is no option to reset this counter from the AAM UI. The meta key has to be deleted manually when there is a need to reset the counter.
Define limited by time access to the post. For example you can allow visitors to access your posts in the Science category only for 1 month. After that the access will be automatically restricted.
The expiration criteria expects to be given a string containing a valid date/time format or mathematical expression.
Dates in the m/d/y or d-m-y formats are disambiguated by looking at the separator between the various components: if the separator is a slash (/), then the American m/d/y is assumed; whereas if the separator is a dash (-) or a dot (.), then the European d-m-y format is assumed.
To avoid potential ambiguity, it's best to use ISO 8601 (YYYY-MM-DD) dates whenever possible.
Examples: +2 weeks (the access will expire in 2 weeks from now); +10 hours (the access will expire in 10 hours from now); January 1st 2018; 10/08/2019
Start selling access to your website content (any post, page, media asset, custom post type, category, custom taxonomy etc.). The option is based on the simple idea where authenticated user has access to "monetized" content only if he purchased bounded E-Product. Otherwise user will be automatically redirected to conduct a purchase or teaser message will be displayed to do so.
Similar to the EDIT option however the post is restricted for editing for everybody except the author (whoever created the post or was assigned as author). For example if John Smith created the post "Introduction to AAM" then only John Smith will be able to edit it.
Note! Due to the nature of the AAM access inheritance mechanism, the EDIT BY OTHERS option should be check only on the Default Access level. This way all the roles, users and visitors will automatically inherit it unless overwritten.
Note! If EDIT BY OTHERS and EDIT options are both checked, then AAM disregards EDIT BY OTHERS option and the author will not be able to edit his own posts.
Similar to the DELETE option however the post can be trashed or permanently deleted only by the author (whoever created the post or was assigned as author). For example if John Smith created the post "Introduction to AAM" then only John Smith will be able to delete it.
Note! Due to the nature of the AAM access inheritance mechanism, the DELETE BY OTHERS option should be check only on the Default Access level. This way all the roles, users and visitors will automatically inherit it unless overwritten.
Note! If DELETE BY OTHERS and DELETE options are both checked, then AAM disregards DELETE BY OTHERS option and the author will not be able to delete his own posts.
Restrict access to publish the post if it haven't been published yet. Great option if you want to restrict access to publish content without reviewing it first. Any attempts to publish the post will result is saving the post with Pending Review status.
With Plus Package extension you can even restrict ability to publish posts in the very selective category or even disallow to publish any post in specific post type.
Similar to the PUBLISH option however the post can be published only by the author (whoever created the post or was assigned as author). For example if John Smith created the post "Introduction to AAM" then only John Smith will be able to publish it.
Note! Due to the nature of the AAM access inheritance mechanism, the PUBLISH BY OTHERS option should be check only on the Default Access level. This way all the roles, users and visitors will automatically inherit it unless overwritten.
Note! If PUBLISH BY OTHERS and PUBLISH options are both checked, then AAM disregards PUBLISH BY OTHERS option and the author will not be able to publish his own posts.
Restrict access to browse the category however it is still listed on the website frontend. When user clicks on the category link, access to the category will be denied and user will be redirected based on the Access Denied Redirect rule.
For example you can restrict access to see list of products in the category "Products" for all visitors and redirect them to login page first.
Restrict access to create new posts. This option is available only for default post type access level so technically you can either allow to create new posts or not. Any attempts to create a new post will be denied with WordPress core message "Sorry, you are not allowed to access this page."
There is no way to restrict access to create new posts for specific category simply because WordPress does not know what category you will choose after hit Create New button. To cover this scenario you can hide acategory on the backend with LIST option.
By default, WordPress redirects user to the admin backend after user authenticated successfully. In a lot of cases this might not be the ideal user flow. With the Login Redirect feature you can redefine this behavior for any role or even individual user.
The login redirect feature may not work if you are using third-party plugin or any custom functionality for the login process. We strongly encourage you to check our free AAM Secure Login feature.
AAM allows you to define custom 404 redirect when page was not found on the website. The 404 redirect can be defined only on the Default Access level as it is less-likely you would need the ability to define 404 redirect for specific user or role.
By default, the options is disabled to prevent from mistakes of deleting or modifying role capabilities. So many inexperienced WordPress users lost control over their website because of that so we made the decision to disable it unless it is explicitely enabled.
When option is enabled, two additional icons are available for each capability: "Edit" and "Delete".
Access Manager Metabox, by default, is added to every edit screen for posts, pages, medias, CPTs, categories or custom taxonomies. You can disable this metabox if there is no need to manage access to your website content.
Please note! The Access Manager metabox is not rendered for users that do have access to AAM page or do not have ability to manage AAM Posts & Pages feature. It is also not rendered when both Frontend Access Control and Backend Access Control options are disabled.
The "Access" action is added by default to list of users, posts and taxonomies. It can be disabled if not needed.
Please note! The "Access" action is not rendered for users that do have access to AAM page or do not have ability to manage Posts & Pages feature. "Access" action will not be rendered on All Users screen if user does not have list_users capability. It is also not rendered when both Frontend Access Control and Backend Access Control options are disabled.
AAM comes with its own secure login functionality like login widget or ability to significantly improve your website security by protecting from brute-force attacks. However you have the ability to disable this feature if other plugins are used for login/security purposes.
WordPress multisite network does not have any options to manage access to sites frontend per user base. That is why any user or visitor can access all sites in the network. By activating this option, AAM will automatically restrict access to the site if user is not a member of the site (not added as the user of the site).
Please note! AAM will control only frontend access. To restrict user to access backend area for any site, simply do not add user to the site's user list.
AAM is probably the only free plugin that gives the ability to manage physical access to all your media assets. By activating this option, all restricted to READ media records will not be accessible for viewing or downloading.
Enabling Check Post Visibility feature may slow-down the website performance with large amount of posts, pages or media library.
WordPress core database and functionality is not normalized for granular acess management to its resources like posts, pages or categories. It would be much easier if all the Website content and relations between different content types were static however in reality this is not true. We consistently adding new posts and categories, changing how they are organized, creating new users and roles. AAM successfully takes in consideration these facts however it comes with the cost.
When Check Post Visibility option is enabled AAM applies settings inheritance mechanism for each fetched post or term and cache result per user base. When there is large amount of posts, AAM will do it in small portions (by default 500 posts per request but this value can be changed with ConfigPress settings get_post_limit).
Basically it is recommended to keep this feature disabled if you are not planning to use Posts & Pages access option LIST or LIST TO OTHERS.
For example, the frontend menus are typically list of hidden post types nav_menu_item that are references to the actual posts, pages, categories or links. The mentioned post type is hidden (not public) that is why you need to explicitely enable the ability to manage them. Upon enabling, you should be able to see more post types available for access control on the Posts & Pages tab.
WordPress, by default does not provide the ability to group your pages in categories the same way as posts. This might be very useful if you are planning to manage access to multiple pages. Upon enabling this feature, you will be able to group pages into categories the same way as posts.
WordPress, by default does not provide the ability to group your media library in categories. This might be very useful if you are planning to manage access to the group of files. Upon enabling this feature, you will be able to group media assets into categories the same way as Posts.
It is quite common when you have to assign more than one category (any hierarchical taxonomy) to a post. In some instances you might have multiple hierarchical taxonomies registered for a post.
AAM by default takes in consideration only access settings for the first category on the list and ignores others however by enabling Support Multiple Categories option, AAM will fetch access settings for all assigned hierarchical taxonomies and merge them as following:
- By default the denied access option has higher priority. For example if for Category A all posts are allowed to READ, however for Category B all posts are restricted to READ, then any post that has Category A and Category B will be not allowed to READ.
- If ConfigPress option access.merging.preference* is set to allow then with the same scenario as above, the post will be allowed to READ.
* You should have Plus Package 3.5.1 or higher for this feature.
AAM has the ability to export all the access settings so you can import them to any other website. For example, it is very helpful when you want you have multiple website that should have the same list of roles and capabilities.
By default AAM exports only roles & capabilities, AAM settings and ConfigPress settings. You can customize this behavior with ConfigPress. For more information please check How to export and import AAM settings article.
AAM comes with internal caching mechanism that is heavily used to cache posts and pages access settings. You can manually purge the cache.
AAM automatically clears the cache for specific user or all the users depending on the content relations change. For example if you assign post to a new category, AAM will automatically clear the cache so a new set of access settings can be inherited.
Users/Roles Manager is the sidebar panel on the AAM page that allows you easily navigate between roles, users, visitors or switch to manage default access to everybody. Here you can find all necessary set of tools to successfully manage list of your roles and user.
WordPress allows you to have unlimited number of roles however it does not have ability to manage them. You can find out all you need to know about role management from the How to manage WordPress roles article
One of the most powerful aspects in the AAM functionality is the ability to define default access for everybody to any website resource. So technically everybody (including Administrato role and your admin user) inherits those settings if no other settings were detected.
The [aam context="loginRedirect"] shortcode is useful one when you want to render link or button that leads to the default WordPress login form. Upon successful login, user will be redirected back to the previous page.
List of available attributes:
class - Link HTML class. Default: none;
callback - Custom PHP callback function that returns login button. Default: none;
Please note! AAM extensions are not typical WordPress plugins and should not be treated as such. All AAM extension are installed in special directory that is outside of the default WordPress plugin directory.
There are two possible ways of installing AAM extension:
- From the Extensions Area. If you purchased a premium extension, then you can insert the license here and AAM will automatically download and install extension for you. For free extensions, you can simply click on Download button right next to the extension name.
AAM core was created by experienced developers for developers. You can utilize it to create your own custom functionality or event custom extensions that we can host on our server while you are getting paid 100% or the specified value.