How to manage WordPress capabilities

Managing list or WordPress capabilities is one of the most powerful however at the same time dangerous operations. I can’t stress enough how important it is to deeply understand the WordPress core concept of Roles & Capabilities and at least be aware of what each capability is responsible for. Otherwise you have a high risk to screw your access rights.

Note! Even if you’ve made a mistake and removed some critical capabilities related to important WordPress features or even kicked you out of the entire Backend side, please do not panic. Everything is can be reverted however require manual modification to the content inside the database table _options.

The default WordPress installation does not have the ability to manage list of capabilities and this is something that can be easily archived with AAM plugin. On the Capabilities tab you can find the list of all assigned capabilities to any role or an individual user.

WordPress Capabilities

WordPress is for the most part the role-based access control system with some limited ability to deviate access settings for individual user. It means, that you can manage list of capabilities only for roles and individual users. In the WordPress access control fundamentals article I’m covering this topic in more details.

Warning! WordPress core stores list of capabilities in two database tables: _options for roles and _usermeta for each individual user. AAM works directly with WordPress core data which means that any changes that you do to the list of capabilities are permanent. Always backup your database on regular bases so it can be reverted in case you’ll make mistake.

Capabilities Feature Overview

The Capabilities tab almost anything you need to successfully manage capabilities for any role or individual user. I use word almost just because in past 8 year, I’ve got couple requests to implement ability to manage capabilities in bulk, which I find quite dangerous operation and deliberately omit from the TODO list.

For your convenience, the list of capabilities is grouped by the logical meaning into System, Posts & Pages, Backend, AAM Interface and Miscellaneous categories. There is the way to programmatically extend the list of capability categories with aam-capability-groups-filter hook.

You also have the ability to create new capabilities, edit or even delete existing. There is no limit to how many custom capabilities you can create on the Capabilities tab. Simply click on the + Create button on the right top corner. The custom capability will be stored to the database as-is (the way you entered it).

By default the ability to edit or delete capabilities is enabled. However you can disable this feature on the Settings area with Edit/Delete Capabilities option.

When you try to delete any existing capability, you’ll be prompted with pop-up to confirm your operation. Read carefully what capability you are about to delete and for what role/user.

WordPress Delete Capability

It is important to also understand that each role or user stores the list of capabilities independently from each other. That means that for example capability edit_posts is duplicated for Administrator, Editor, Author etc. roles. So if you want to completely delete this capability, you would have to delete it for all the roles or even individual users one-by-one.

FYI! Do not delete any capabilities from roles or users unless you know exactly what you are doing. Instead simply uncheck them checkmark . This way you are depriving certain capability from managing role or user.

AAM aggregates the list of all capabilities that roles have and when you manage individual user, it also adds to the list of capabilities that user has. That is why disregarding what role you are managing, you’ll see the list of all capabilities so they can be assigned/deprived easily.

However note, you are not going to be able to edit or delete capability if it does not belong to managing role or user. By assigning capability to the managing role/user, you are duplicating it and so it actually can be deleted later if needed. You will visually know when capability is not directly assigned to role or user. The edit and delete icons will be grayed out.

Advanced Features With Access Policies

AAM v5.7 introduced the revolutionary for WordPress concept of Access Policy. This is basically the JSON document that defines all the necessary access settings and configurations that can be attached to any principal (role, user, visitors or even everybody).

With Access Policy you can utilize the Capability resource to define which individual capability can be managed or even listed on the Capabilities tag.

Access Policy can do everything what is possible with UI and even more. The only big difference between is that Access Policy does not persist defined capabilities in the database, which means that you mitigate the possibility to permanently change capabilities in the database.

For example the below Access Policy when attached to everybody, allows to manage posts and pages for all users that have email domain @myawesomeshool.org however it also set permission boundaries and does not allow anybody except user with ID 1 (typically the administrator) to manage users.

{
    "Version": "1.0.0",
    "Dependency": {
        "wordpress": ">=5.1.1",
        "advanced-access-manager": ">=5.9.3"
    },
    "Statement": [
        {
            "Effect": "allow",
            "Resource": [
                "Capability:edit_posts",
                "Capability:edit_pages",
                "Capability:publish_posts",
                "Capability:publish_pages"
            ],
            "Condition": {
                "Like": {
                    "${USER.user_email}": "@myawesomeschool.org"
                }
            }
        },
        {
            "Effect": "deny",
            "Enforce": true,
            "Resource": [
                "Capability:delete_users",
                "Capability:edit_users",
                "Capability:promote_users"
            ],
            "Condition": {
                "NotEquals": {
                    "${USER.ID}": 1
                }
            }
        }
    ]
}

As you can see, Access Policy not only quite simple way to define complex conditions but it is also the great way to enhance your website security.

Conclusion

AAM plugin has all necessary set of tools to successfully manage list of all capabilities for roles and even individual users. All the features mentioned in this article are absolutely free and do not require any premium software.

The UI is very intuitive and straight to the point as well as you can spend couple hours learning about Access Policies to discover that you have no limit to how the entire access to the website can be managed.

Get notified about important updates and new features (no more than one email per month).