The most fundamental part of the WordPress CMS is the post. There are different core post types like pages, attachments, revisions, navigation menu items, media etc. Additionally any plugin or theme can register its own custom post type that will behave similarly to other posts with few differences in what it supports and how it can be accessed.
It is important to understand that even when posts, pages or any custom post type have different menus in the backend menu, they are all managed by the WordPress core in very similar way. Try to hover on each backend menu item and you will notice that Posts, Pages or any Custom Post Type menu points to the same page /wp-admin/edit.php. The only difference is in the post_type parameter. On other hand Media menu points to the /wp-admin/uploads.php however all media records are still posts with post type attachment.
Besides the post type attribute, there are two more significant difference between posts. The first big different is if post type is hierarchical or not. For example pages are hierarchical posts because you can define the parent page.
The second difference is if post type is public or not. This attribute defines if post type has its own backend menu item and if it is searchable on the frontend. For example revisions or navigation menu items both are hidden and not public post types. They are used for very specific internal needs and there is the dedicated functionality that works with them.
In AAM 4.6.1 release we added new option “Manage Hidden Post Types” to the Settings area that allows to manage access to hidden post types like navigation menu items. Primarily it was added to cover the scenario when frontend menu has custom links included and there is a need to manage access to them.
There are few more different options that define how post type works and the complete list of all available options can be found in the official WordPress documentation for register_post_type function.
WordPress does not offer many features to protect posts and absolutely no options to protect categories. The only available option is Password Protected status for a post. However anybody who knows the password can access it which is not the ideal way to protect your website content.
When there is a need to protect the website content, there are few very important things that you have to keep in mind. Answering few questions that are listed below, will give you a good start to choose the right strategy.
How many posts are you protecting? When you have large amount of posts, it is most likely you would want to group them in categories so you can manage access to few categories rather than hundreds or even thousands of posts one-by-one. This might get really overwhelming and time consuming task. With Plus Package extension you can significantly optimize your access management task.
Do you protect content from non-registered users only? Think about this questions as levels of protection. Do you have only one level protection when if user is not logged in then protect content and when logged in then show all your content? In some cases you might need multi-level protection. For example, protect some posts from visitors, but show few to users with Subscriber role and show all if user has Editor role.
Do you allow your users to have more than one role? As example Role A has access to Post A, while Role B has access to Post B and when you want to give User A access to both Post A and Post B, naturally you would think to give the user both Role A and B. However keep in mind that this type of user-base organization breaks the integrity of your access control system because it comes with serious conflict.
When Role A has access to Post A while Role B does not, in this case there is no good way to judge if user with both roles has or does not have access to Post A. That is why it is much better to avoid multi-roles and make sure that there is only one role per user. If you need a complex role-based access implementation, you can check Role Hierarchy extension to learn more about this topic.
Do you organize your content in categories? One of the best ways to organize large amount of posts, is to group them in categories even if there is no good reason to do that at the present moment. You never know, how your website will evolve in the near future and if time will come to manage access to your posts, they will be nicely organized in categories by logical meaning.
Another good reason to use categories is because you can create a complex tree of categories and access settings will be inherited based on the tree structure. For more information about AAM inheritance mechanism check How does AAM inherit access settings article.
What is the flow when access is denied to restricted content? When access is denied to restricted post or category, you should also define how this event is going to be handled. With AAM you have few good options to choose from. For more information check How to redirect WordPress user when access is denied article.
AAM plugin offers a lot of nice options that significantly enhances the ability to manage access to any post or category for any individual user, group of users (role-based access) or visitors. For list of available options check the How to manage WordPress post and category access article.