WordPress User Access Management

What’s the most fun you can have with a program that’s written for information sharing? Make it filter that information so that you can control who can or can’t see it.

You may have read my previous article about how I set up a web site for a private club with three levels of user access by using Peter’s Login Redirect, WP Hide Dashboard, Role Manager, and New User Email Setup plugins.

I’ve since discovered the User Access Manager plugin, which allows you to create user groups and give them access rights to selected posts and/or pages. You can even assign separate admin and user permissions within the group. Great for project sharing regardless of whether your WordPress site is public, private, or a mixture of the two.

Older versions of this plugin came with this warning:

If you activate the plugin your upload dir will protect by a ‘.htaccess’ with a random password and all old downloads insert in a previous post/page will not work anymore. You have to update your posts/pages.

The latest version of the plugin allows you to unlock these files so that they don’t appear broken. It also allows you to delete the .htaccess files if you should decide to deactivate the plugin. If you are using this plugin, make sure you have the latest version.

This plugin may be able to replace Role Manager, especially if all you want to do is control read access to posts and pages. Keep in mind that if you uninstall Role Manager your roles & capabilities will be left however you last set them. They will not be returned to default. At the moment there is some discussion among WordPress developers (including myself) about the possibility that modifying the default user roles causes conflicts with other plugins that use the Role feature (like Profiler and WordPress Users, both of which do not seem to work for people who have used Role Manager). We’ll see if either of the plugin authors can come up with a fix that takes modified roles into account.

This article copyright © John Nasta 2009 – All Rights Reserved
Be Sociable, Share!

You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.


  • Shawn Howe says:

    Does this plugin work with wordpress running on SQL? I recently installed it but cannot get it to work. Nothing happens after I click on the “Add user group” button. Do I need to do anything else?

  • Andy Ogden says:

    Hi John

    I recently installed UAM in order to provide secure pages and content where I can upload photographs I’ve taken for friends.

    I turned on ‘Lock Files’ as I don’t want anyone to get access to the photos unless they’re signed in and have permission. As soon as I do my media library breaks (no thumbnails or images unless I edit) and most images disapear from my site.

    I tried creating a group called ‘All Users’ and set read permissions to all users, but this hasn’t worked.

    This makes UAM unusable as it also hides my sites header image…

    Any suggestions?


    • John Nasta says:

      It’s true that it blocks anything that was uploaded to the Media Library before it was installed, but IIRC if you unlock the jog extension in the options, those images will work again.

  • Craig says:

    I hope that this post, and its comments are still being monitored. I have recently picked up web development for the Boy Scout Troop that I am the Scoutmaster of, using WordPress. I used just good old html coding for the Cub Scout Pack, where I was Cubmaster, so WordPress, though I love it, is still a bit of an enigma to me. I have set up three user groups: Scout, Parent, and Leader. UAM is great in that it prevents casual browsers/guests from viewing photos in our photo album, requiring the registered user to login to view same. However, when a user registers, he/she is automatically assigned to ALL user groups, and I am not able to make changes to their user group, as the check boxes are greyed-out, when I attempt to edit the user account from Users: User: Edit User. I am also unable to update user groups for users that I create, as the administrator. I am using WP 3.1, and UAM 1.1.4.

    Thank you for any assistance that you can provide.

    • Craig says:

      Okay… So, when you assign “Role Affiliation” in the UAM Manage User User Groups settings, your are, in fact, telling UAM to automatically assign that User Group to any User that you have given that particular role to, NOT the converse, that is, that Users in that particular User Group have only that role, while acting in the role of that User Group.

    • John Nasta says:

      You definitely have a problem there. Users should not automatically be assigned to any group unless that group is defined by role, and the user signs up at that role. In the WordPress Settings (not the plugin settings), you can assign a default for what role people can sign up at. Is it possible that you have that set to Administrator? Only administrators automatically have access to all groups. It should be set to Subscriber. The administrator can always upgrade the person’s role after they sign up.

      You probably should not be using the roles to define your user groups. I find it’s better to sign everyone up as a Subscriber and then have the admin assign them to a group. Then if there are people who need more privileges on the site, you can give them a different role.

  • Arthur says:


    Great plugin!!

    I have yet another question:
    I want users to be able to upload photos using ‘upload_files’ but in their profile page, the Media Library shows every image that’s been uploaded by every user. How can I filter that so that they can only view the images THEY uploaded?

    Is this possible with your plugin or do you know another solution?

    This would be of great help for me.

    Thanks in advance,


  • Aletha says:


    I am pretty new to Word press and hence still naive when it comes to knowing the behind the curtains stuff.

    We are a library, and would like our members to also post their reviews of books read from the library. I created a page called Member Speak. I also created a group called – member Reviews after downloading and installing the UAM.
    1. I have given them the Contributor Role, so first not sure if this is the one that needs to be given.
    2. When they sign in- they get only the Post/Add New Post. However, I don’t want them to write on our front Blog that is only for the Librarians. I would like their post to appear only on the Member Speak page. How can I do that?
    3. Even when they write the post they can only post their draft, and it is an item for the admin as pending, but we do not get the email.

    So am not sure where and what I have done wrong, or should I have downloaded another plugin to go with this. I cannot see Role Manager anywhere, can you direct me to that?
    Your advice and help will be very useful

    • John Nasta says:

      Hi Aletha,

      It seems like you could do what you want by letting users post comments. The UAM plugin is for giving groups of users access to view restricted pages and posts. It seems like restricted viewing is not what you are trying to do.


      • Aletha says:

        Thanks John.

        What I am trying to do is give our subscribers the right to write and post reviews of the books they read from our library. And I want them to write to the “Member’s Speak” page only. They can comment on the blog on the Home page, for which they already have access. But it would be nice if they all had a common page of their own to which they can post reviews of the books they read. And that is where I am getting stumped!

        How to make a single page on wordpress accessible only to them. And everybody can see that page and post comments, but only our subscribers, who have been grouped in a user group, need to have permission to write a post on the Member Speak page.


        • John Nasta says:

          I would suggest that you create a category called Members Speak (it’s plural, not possessive or a contraction, so no punctuation mark) and use the query_posts function so that your page only calls in posts from that category. You can also use query_posts to exclude that category from your main blog page.

          You can also use the “A Page Of Posts” page template. That’s how it’s done here: http://prestonsbeat.com/blog/events-calendar/

          The Events and Newsletter pages both show blog posts from separate categories.

          On this site: http://stregasalem.com/ the home page only shows posts from the News category and the Events page shows all posts. That was done with query_posts.

          One thing that is a bit of a bummer about the Contributor role is that contributors can’t post pictures 🙁


          • John Nasta says:

            And yet another option would be for you to create the posts and just let people comment on them. You could provide links to your categories rather than your pages.

          • Aletha says:

            Thanks John. I will try the query post function and see how that works.

            I think when we have a better way to display our Library catalogue, we can give our readers a chance to add their comments/reviews to the books they read there (that would make better sense). Thanks for directing me to other sites who do things differently, it certainly helps to know different ways.

            Cheers & Thanks again for your help and advice

          • John Nasta says:

            There is info about how to use query_posts as well as the “A Page Of Posts” page template in the Docs section of the wordpress.org web site.

            If you want to hire me I could do it very quickly but if you plan to develop WordPress sites it’s worth learning.


          • John Nasta says:

            You may also want to check out the Draft Notifier plugin:

  • Stephane says:

    Hi John,

    I have created a goup which includes “subsciber”. Then I have created a page, where I only give access to “subsciber”. All works pretty well so far. My problem is, I want to check the option HIDE PAGE to everyone that has no acces to this page, that is, I don’t want anyone to see it, I don’t want anyone to know it even exist, except for the poeple in the group “subsciber”…this works EXCEPT that me, as an ADMIN, I cannot see the page either. Plus, when I am in my Worpress Dashboard, I cannot EDIT my hidden page either…it’s like it doesn’t exist even for me (the Admin).

    I thought about addind myself in a UAM group where I would give myself all the permissions, but when it comes to choose between “subscriber, author, editor, etc….” there is no “admin” choice to pick.

    What should I do?

    Thank you very much in advance!


    • John Nasta says:

      I have never heard of that happening before. As admin you should be able to see everything regardless of which group(s) it is assigned to. I assume that what you checked was “Hide complete pages”. That should not be a problem.

      With any plugin that isn’t working properly, the first things you should try are changing to the default theme and deactivating all other plugins. You need to rule out whether the issue is being caused by another plugin or the theme. You may want to contact the plugin author or post your question on the WordPress forum.

  • Bill Joyce says:

    I’m switching from a template (non wordpress) go daddy site to a newly created wordpress site. I’m researching now. Is there a basic user managememt plug in that controls access that does not have these issues?

    • John Nasta says:

      I continue to use this plugin on several sites because I have not had any major issues with it. There are one or two others but I have not tested them.

      In general, the plugins are both the best part and the worst part of using WordPress. They can add all kinds of functionality to your site but because they are written by third parties, WordPress (the company) has very little control over them. Often users do not send enough contributions to make it worth the developer’s while to maintain and/or support the plugin, and in some cases they eventually abandon it. So, if you really like and rely on a plugin, the best thing you can do is to try to support the developer.

  • Mike M says:

    I just installed it. tried a few settings and then went to view it. The website was not viewable at all. It was just a white blank screen. I deleted the plugin but everything was the same. A htaccess file had been created in the root of the website, so i deleted that. Same result. I then copied a new index.php from the original install and copied it over. Now the home page works fine but when i click any link on the page to go to another article or page it gives me a 404 error. I need this website up today! I am kinda lost. Please help me. I really need it!

    • John Nasta says:

      It seems to me that the best thing to do is re-install the plugin and undo whatever settings you changed. Deleting a plugin does not necessarily undo the changes that you made with it.

  • John says:

    Hi John,

    Do you know how to automatically add a new registered user to a UAM group?

    I tried setting role affiliation as ‘Subscriber’, but then in the user list it did not put any of my subscribers in the group.

    However, if I manually selected the users for the group it worked fine!

    Can you help me automatically affiliate users with UAM groups?


    • John Nasta says:

      I have tried doing this by including everyone who is a subscriber in the group, setting the WP General Settings so that new users are automatically given subscriber status & anyone can join, then used the SABRE plugin so users would need an invitation code to join. All of that worked together. On top of that I used Peter’s Login Redirect so that when users log in they are redirected to a page that only subscribers can see. All worked very nicely.

  • Gene Fama says:


    I installed Role Manager in WP 2.7 and now I have no Manage Plugins menu, even after upgrading to 2.8. All I see is the Install window with the tag cloud and the Editor. Therefore i have no obvious way to deactivate or activate plugins—including Role Manager. I reset all the permissions in the existing roles to allow plugin management, but the menu is still AWOL.

    Do you have any suggestions?

    Gene in LA

    • John Nasta says:

      Hi Gene,

      You can delete any plugin that is misbehaving via FTP. Unfortunately, deleting the Role Manager does not always undo it’s settings, so you may have to figure out if it is a plugin setting that is causing the problem and if so, undo it before deleting. Otherwise you may have a hard time getting back to even where you are now.

      Also, are you sure that the user name you are logging in with has Admin rights? Only Admins can access the plugin management pages.

      Have you tried to manually go to the URLs of those pages?

      Manage Plugins:

      Install Plugins:

      I’ll email this to you directly as well.


      • John Nasta says:

        p.s. Actually, before you do anything else, go into the Role Manager settings and make sure that you have not deleted or removed the add/edit/remove plugins capabilities from the Admin role. If they are still there and assigned to Admin, try creating a new User ID that has Admin rights and log in w/ that ID to see if there is any difference.

        If you have unassigned those capabilities from the Admin role, re-assign them. If you’ve deleted those capabilities, I really can’t tell you how to get them back.

  • Anastasia says:

    first thanks for such a wonderful plug-in.
    I’d like to know is it possible to make comments for locked posts not seen for everyone in Recent Comments widget?

    • John Nasta says:

      I have mentioned to the plugin author that protected posts also show up in the Recent Posts widget. You should go to the plugin web site and contact the author about it.

  • Daniel Noll says:

    Hi John,
    Thanks for the response and the heads-up. Funny thing is, I don’t experience the Recent Posts problem in the sidebar. It actually works for me…for now.

    This plugin has great potential, but it’s also issue-prone and quite fragile at this point. I have conditional tags and PHP all over my theme and widgets to account for all the things it doesn’t do as expected.

  • Daniel Noll says:

    Hi John,
    Have you encountered issues controlling access to category/archive pages? On a client site that I’m developing, I have certain categories role restricted. But if I navigate to the archive pages for those categories (not logged in as a user), the pages are still displayed (but show no excerpts)…rather than being redirected.

    Sorry if I’m hijacking this thread, but it’s one of the few out there with decent information regarding User Access Manager issues.
    Thanks again,

    • John Nasta says:

      Hi Dan,

      So far I haven’t used it to restrict category access. I have only used it to restrict access to individual posts and pages.

      I have noticed two thing that I’ve emailed Alex (the author) about. For posts, the titles of restricted posts still show up in the Recent Posts list in the sidebar, and if you click those titles you get the theme’s 404 page even if you have a redirect set to take them elsewhere. Really the titles of those articles should be hidden like they are in the category archives (the category name is also hidden if the only posts that are assigned to the category are restricted and the user is not logged in), and of course the redirect is supposed to work.

      For pages it works fine, hiding the button from the pages menu and redirecting anybody who tries to go to that URL w/o being logged in as a member of the group.

      Sorry, I’ve brought more complications to your attention without really answering the question, but I haven’t used it to restrict categories. I can however assure you that from my experience if all the posts within the category are restricted, the category name will also be hidden unless the user is logged in as a member of the group. So, that way nothing shows on the public side, unless you have the Recent Posts thing going on in your sidebar. Based on both of our experiences we are seeing that redirects from restricted posts are not working.


  • gabimazz says:

    Dear All,

    thanks for your support. I did as you suggest but I still got the error. Then, while I was trying all the possible combinations, I added a category to the group. And magically it works! If I set a category to the group it works otherwise I get the error message.

    Hope this can help someone else.


  • clay says:

    Dear gabimazz,

    i think u need to assign that particular Author to a group.
    I encountered the same problem.
    Strangely it will create draft, and you need to delete the draft post, then WordPress will back to normal.
    After that you need to assign this Author to group created by UAM plugin.

    Hope it helps.

    • John Nasta says:

      Thanks Clay. That makes perfect sense. On the sites I have installed this plugin on the Admin is the only person who creates page and posts. Of course the Admin role is automatically assigned to every group, so by default the group permission is there before the page or post is created.

      Another option would be to set the “Write Access” within the group to “all” rather than the default, which is “only group users”. Then anyone with a Role of Author, Editor, or Admin would be able to post within the group. You could also assign the Author and/or Editor role to the group.

  • gabimazz says:

    Dear John,

    as User Access Manager user, did you face the following problem?:

    when I try to create a page / post as author I got the following messagge on clicking on Publish button:
    Warning: Invalid argument supplied for foreach() in /var/www/wp-includes/taxonomy.php on line 1953
    Warning: Cannot modify header information – headers already sent by (output started at /var/www/wp-includes/taxonomy.php:1953) in /var/www/wp-includes/pluggable.php on line 850

    Nothing happens if I work as admin.

    It is a UAM problem as I deactivated all the plugins, and repeated the test after activating them one by one. When UAM is active I get the message.

    I’m using User Access Manager version with WordPress 2.7.1

    Did you ever try?

    Thanks for your reply.

    • John Nasta says:

      I’ve never had that happen, but I don’t have anyone using the Author role on any sites that use this plugin. Maybe you should contact the plugin author and let him know.

  • Scott says:

    I did not understand that warning and now none of the photos uploaded into my post will display. Any idea how I can fix this? Deactivating the plugin does not help.

    • John Nasta says:

      The reason deactivating the plugin doesn’t help is because older versions of the User Access Manager plugin create a .htaccess file in your Media Library (wp-content/uploads) folder to control who has access.

      Just update the plugin to the latest version and you will have options to “unlock” those media files. The new version also lets you delete the .htaccess files if you should decide to deactivate it. Thanks to Alex Schneider for that update.



Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>