WordPress access control fundamentals

In this article, you are going to be introduced to the few fundamental concepts that form solid WordPress access control functionality with the help of a free Advanced Access Manager plugin. This is the first step to the series of articles that will show that you have unlimited possibilities to build the most complex and secure WordPress websites that require access management (e.g. membership platforms, knowledge-based portals, etc).

A little bit of history…

WordPress security and access control is probably the most challenging task because the very core idea of WordPress CMS (Content Management System) was never designed to hide or protect any content.

The very first version of the WordPress CMS was released on May 27, 2003 and in less than 2 weeks the next version introduced the private posts; the first attempt to have restricted content in WordPress. The core developers knew that there is a high demand for good WordPress access management system so withing next two years, several additional concepts were introduced like password protected posts and pages, user levels and finally roles & capabilities in WordPress 2.0.

There is a myth online that WordPress CMS has no user access control. That is why the main goal here is to prove that with the help of Advanced Access Manager plugin and few very fundamental WordPress core components, anybody can build the most complex systems with almost no effort.

Roles, users and capabilities

The concept of a Role was designed to give the ability for the website owner to manage what other users can do within the site. Role contains the list of Capabilities that determine what User can or cannot do. Because Role is assigned to a user, all capabilities are automatically inherited by user however can be customized per each user individually.

WordPress is based on the hybrid of Role-Based Access Control (RBAC) and Access Control List (ACL) models. It is designed to give the ability for a website owner to control what other users can or cannot do based on the assigned role. On other hand, it also has the limited ability to customize access for a specific user (this part is explained in-depth in the Users article).

The most comprehensive and complete list of all basic WordPress roles and capabilities can be found in the official WordPress Codex about Roles & Capabilities.

Website areas

When we talk about a WordPress website, we have to keep in mind that it is a combination of three main areas: Backend, Frontend and RESTful/XML-RPC APIs.

For a long time, there was an assumption that Backend is used to manage website content, behavior, and users while Frontend to display the content and facilitate user experience and navigation. However, the game changed with a significant increase in RESTful API popularity. As of today, you can do almost anything with RESTful API that you can do in the Backend. Besides more and more WordPress plugins introduce custom RESTful endpoints for different needs. For example, the WooCommerce plugin adds around 200 additional endpoints; Advanced Access Manager has a couple too.

That is why when you think about WordPress security and access management, you have to make sure that you cover all three areas.

There are many free and premium WordPress plugins that offer the ability to manage your restricted area, however, keep in mind that only very few take into consideration all possible ways to gain access to it. Advanced Access Manager since version 5 or higher, gives you endless possibilities to define very granular access to your restricted areas for Frontend, Backend, and API areas.

User redirects

This is probably one of the most overlooked concepts in WordPress access management and it is one of the most important aspects of the entire website. While the majority of available online solutions put so much effort to control access to restricted WordPress resources, almost none think about positive user experience.

Restricting access to your WordPress website content or features is only a half-way completed job. Providing meaningful feedback to the end-user about the reason for access denial or redirect to a page that explains further steps to avoid confusions and customer frustrations has to be the ultimate objective for the website owner.

Always keep in mind that you absolutely must provide, smooth website flows during user authentication, authorization, and when various access-related events occur (e.g. access was denied to a restricted page or user exceeded the allowed number of times to read a post).

Advanced Access Manager plugin has several ways to manage different types of redirects like Access Denied Redirect, 404 Redirect, Login or even Logout redirects.


WordPress access control is based on three fundamental concepts of “roles, users and capabilities”, “website areas” and “user redirects”. Mastering each concept and knowing in-depth how they work, will definitely help you to create the most complicated access-based web platforms with WordPress CMS.

The free Advanced Access Manager plugin that you can download from the official WordPress repository has proven to help thousands of websites to successfully manage access without any coding.

Get notified about important updates and new features (no more than one email per month).