In this article you will learn all necessary information to effectively manage access to WordPress content with the help of the Advanced Access Manager (aka AAM) plugin that can be downloaded for free from the official WordPress repository.
Before we start, let’s establish some common terminology that will be used in this article, so you can understand better what we are trying to convey.
- post is any post, page, media (attachment) or custom post type;
- term is any category, tag or custom term;
- content is the general definition for posts and terms;
- taxonomy is the way to “group things together” where any term belongs to one taxonomy;
- user is any existing WordPress user or visitor;
Note! Managing access to the WordPress content does not necessarily means that you either allow or restrict access to it. AAM currently has 20 different ways to define access to posts and terms. For example you can replace a post’s content with a teaser message, allow user to read page only X-number of times or restrict access by IP address.
Note! If you have any caching plugins or server-side caching activated, make sure that you flush cache after customizing access settings to posts and terms. Otherwise, all the access settings may not be applied to the restricted content. It is strongly recommended to turn off any caching while managing access to your WordPress website content.
The big part of the AAM functionality is dedicated to manage access to posts and terms. WordPress core originally was not designed to restrict access to any content and everything is intended to be public. AAM alters WordPress core behavior and allows to manage access to your website content for the Frontend, Backend and RESTful API for any individual user, role, visitors or even define the Default access for everybody.
The free AAM version allows to manage access to unlimited number of posts. With the premium Plus Package add-on you also can manage access to terms and taxonomies and define the Default access to all posts and terms.
Access settings inheritance
All posts and terms are related to each other somehow. As example any page may have a parent page; any post may be assigned to any category or tagged with any tag. Any term may have a parent term. To add even more complexity, to determine if current user can or cannot do certain tasks with restricted post or term, you have to take in consideration the fact that user may have a parent role or even multiple roles. That is why to understand the full spectrum of possibilities for content access management, it is very important to learn how AAM inherits access settings. The diagram below outlines the general workflow.
AAM allows you to customize access settings for any post, term or even set default access to all posts and terms for individual user, role or all users at once. When AAM tries to determine access settings to requested post or term, at first, it checks if there are any explicit settings customized for a current user and if not, it moves step-by-step up the hierarchical structure (as shown on the diagram above) until it finds any access settings.
Keep in mind that terms are also organized in hierarchical order, that is why AAM additionally takes this in consideration and inherits access settings as show on the following diagram (this inheritance is triggered only if you have installed and activated Plus Package add-on).
WordPress does not support role hierarchy and roles cannot have parent roles. With Role Hierarchy, you can create a complex tree of roles and AAM will take their relationships in consideration during the access inheritance.
So what does it mean “customized access settings”? Technically it means that you explicitly defined some access setting to a specific post, term, post type or one of the default access settings (you’ll learn about different types of default access settings below). AAM has two different visual ways to show you when access settings are actually customized.
Default access settings
Default access settings are one of the most powerful features in the AAM plugin and it opens a completely new horizon of possibilities. For example, you can by default restrict access to all your posts and then simply allow only a few. Some people call it the ability to define reverse access to posts and terms.
At first it might be a little bit confusing why there are three! different default access settings for posts and terms however each has its unique use case as described below.
Default access settings for a specific user. Customize access settings for any individual post, term or post type for a very specific user. For example, you can restrict access to read all posts in the “Science” category for user John Smith and overwrite this rule only for “Introduction to the Science” post that belongs to “Science” category;
Default access settings for a specific role. Customize access settings for a specific role and all the users that below to this role will automatically inherit those settings unless access is overwritten. For example, you can limit access to all CPT Houses for all users with the role Subscriber and display only a teaser message “You have to be a member of the group Manager to see all houses”;
Global default access settings for everybody. This feature has been introduced in AAM 3.9.5 release upon numerous requests and basically it allows you to define default access for everybody to any post, term or to all posts and terms. There is a dedicated article that explain the concept behind the global default access settings. For example, you can restrict to edit all pages for everybody and overwrite this rule for the Administrator role and John Smith user who is a trusted editor on a website.
Access control to media assets
The access control to WordPress media assets deserves a separate discussion as it is a combination of a database record that is stored in the same database table as other posts and physical file that is typically located in the wp-content/uploads folder. That is why you would have to do some extra steps in order to protect physical access to your files.
Learn more » How to manage access to the WordPress media library
Managing access to the WordPress content is quite complicated task because there are so many “moving pieces”. There are numerous relationships between posts and terms that need to be taken in consideration. New posts and terms are created and relationships between them constantly are changing and it would be impossible to keep track of what is restricted and what is available.
Luckily with the help of Advanced Access Manager plugin and premium Plus Package add-on, you literally have no limit and at no time you can setup complex access settings to your restricted or premium content for any role, individual user or even customize default access for everybody.