Phase 1 — Module 1.9: Users, Roles & Settings Configuration

Part 1 — Users in WordPress

What is a User in WordPress?

Every person who has an account on your WordPress site is a user. Users are stored in the wp_users table in the database.

Each user has:

- Username
- Password (hashed, never stored as plain text)
- Email address
- Display name
- Role (what they are allowed to do)
- Registration date

Extra user data like first name, last name, bio, profile picture URL is stored in wp_usermeta table.


Part 2 — User Roles

This is the most important part of this module. WordPress has a Role-Based Access Control (RBAC) system — exactly like Laravel's Gates and Policies but built into the core.

Every user has exactly one role. The role determines what that user can and cannot do on the site.

WordPress has 5 built-in roles:


Role 1 — Administrator

Access Level: FULL ACCESS — everything

An Administrator can:

✓ Install, activate, delete themes and plugins
✓ Create, edit, delete ANY post or page (including other users' content)
✓ Manage all users — create, edit, delete, change roles
✓ Access all Settings
✓ Manage menus, widgets, customizer
✓ Import and export content
✓ Manage site options

Who should be Administrator? Only the site owner and lead developer. Never give Administrator access to content writers or clients unless absolutely necessary.


Role 2 — Editor

Access Level: Full content control, no site management

An Editor can:

✓ Create, edit, publish, delete their OWN posts
✓ Create, edit, publish, delete OTHER users' posts too
✓ Manage categories and tags
✓ Moderate and manage ALL comments
✓ Upload files to Media Library
✓ Manage pages
✗ Cannot install plugins or themes
✗ Cannot access Settings
✗ Cannot manage users

Who should be Editor? A senior content manager who oversees all content — reviews and publishes other writers' articles.


Role 3 — Author

Access Level: Manage only their own content

An Author can:

✓ Create, edit, publish, delete their OWN posts
✓ Upload files to Media Library
✗ Cannot edit or delete OTHER users' posts
✗ Cannot manage pages
✗ Cannot manage categories/tags
✗ Cannot install plugins or themes
✗ Cannot access Settings

Who should be Author? A regular content writer who writes and publishes their own articles independently.


Role 4 — Contributor

Access Level: Write content but cannot publish

A Contributor can:

✓ Create and edit their OWN posts (drafts only)
✓ Submit posts for review
✗ Cannot publish posts — needs Editor/Admin approval
✗ Cannot upload images to Media Library
✗ Cannot edit already published posts
✗ Cannot manage pages, categories, tags

Who should be Contributor? A guest writer or new team member whose content needs to be reviewed before going live.


Role 5 — Subscriber

Access Level: Minimal — only their own profile

A Subscriber can:

✓ Log in to the site
✓ Read content (same as a non-logged-in visitor)
✓ Edit their own profile (name, password, email)
✗ Cannot create any content
✗ Cannot access admin panel features
✗ Cannot upload files

Who should be Subscriber? Regular registered users of your site. For StreamVault — anyone who signs up to use the platform will be a Subscriber by default.


Role Comparison Table

Capability

Admin

Editor

Author

Contributor

Subscriber

Manage plugins/themes

Manage users

Access Settings

Edit others' posts

Publish own posts

Create draft posts

Upload media

Read content

Edit own profile


Part 3 — Managing Users

Viewing All Users

Go to Users → All Users

+----------------------------------------------------------------+
|  All Users   Administrator(1)  Subscriber(0)                   |
|----------------------------------------------------------------|
|  [ ] Username    Name    Email           Role        Posts     |
|----------------------------------------------------------------|
|  [ ] admin       —       admin@test.com  Administrator  3      |
+----------------------------------------------------------------+

At the top you see filter links — click Administrator, Editor, etc. to filter by role.


Creating a New User

Go to Users → Add New

+------------------------------------------+
|  Add New User                            |
|------------------------------------------|
|  Username:        [                    ] |
|  Email:           [                    ] |
|  First Name:      [                    ] |
|  Last Name:       [                    ] |
|  Website:         [                    ] |
|  Language:        [ Site Default ▼     ] |
|  Password:        [ Auto-generated     ] |
|                   [✓] Send User Notification |
|  Role:            [ Subscriber ▼       ] |
|                                          |
|  [ Add New User ]                        |
+------------------------------------------+

Fields explained:

Field

Purpose

Username

Cannot be changed after creation — choose carefully

Email

Must be unique — used for login and notifications

Password

Auto-generated strong password or set your own

Send User Notification

Emails the new user their login details

Role

What this user is allowed to do


Editing a User

Go to Users → All Users → hover over a username → click Edit

Or go to Users → Your Profile to edit your own account.

+------------------------------------------+
|  Edit User                               |
|------------------------------------------|
|  PERSONAL OPTIONS                        |
|  [ ] Visual Editor — disable             |
|  [ ] Show toolbar when viewing site      |
|  Language: [ Site Default ▼ ]            |
|                                          |
|  NAME                                    |
|  Username:    admin (cannot change)      |
|  First Name:  [                    ]     |
|  Last Name:   [                    ]     |
|  Nickname:    [ admin              ]     |
|  Display name publicly as: [ admin ▼ ]  |
|                                          |
|  CONTACT INFO                            |
|  Email:       [ admin@test.com     ]     |
|  Website:     [                    ]     |
|                                          |
|  ABOUT YOURSELF                          |
|  Bio:         [                    ]     |
|  Profile Picture: (via Gravatar)         |
|                                          |
|  ACCOUNT MANAGEMENT                      |
|  New Password: [ Generate Password ]     |
|                                          |
|  ROLE                                    |
|  Role: [ Administrator ▼ ]              |
|                                          |
|  [ Update User ]                         |
+------------------------------------------+

Changing a User's Role

Method 1 — From All Users list:

Select user checkbox → Bulk Actions → Change role to... → Apply

Method 2 — From Edit User screen:

Scroll down to Role dropdown → change → Update User.

Method 3 — Quick Edit:

Hover over username → Quick Edit → change role inline.


Deleting a User

Hover over a username in the Users list → click Delete

WordPress asks what to do with their content:

What should be done with content owned by this user?

○ Delete all content
● Attribute all content to: [ admin ▼ ]

Always choose "Attribute all content" — so their posts are not deleted but transferred to another user.


Part 4 — Capabilities System

Roles are made up of individual capabilities. A capability is a specific permission like:

edit_posts          → can edit posts
publish_posts       → can publish posts
delete_posts        → can delete posts
manage_options      → can access Settings
install_plugins     → can install plugins
manage_users        → can manage other users
upload_files        → can upload to Media Library
edit_others_posts   → can edit other users' posts

When you assign a role to a user, they get all capabilities that role includes. In Phase 6 and 7, we will:

  • Create a custom "StreamVault Member" role
  • Assign specific capabilities like accessing watchlist, rating movies
  • Check capabilities in code using current_user_can()
if (current_user_can('edit_posts')) {
    echo 'You can edit posts';
}

if (current_user_can('manage_options')) {
    echo 'You are an admin';
}

Part 5 — Important Settings Configuration

Now let us go through every important Settings section and configure StreamVault properly.


Settings → General

Go to Settings → General

Configure exactly like this:

Site Title:              StreamVault
Tagline:                 Watch Movies & Web Series Online
WordPress Address (URL): http://streamvault.local
Site Address (URL):      http://streamvault.local
Administration Email:    admin@test.com

Membership:
[ ] Anyone can register     ← uncheck for now

New User Default Role:   Subscriber   ← keep this

Timezone:                Asia/Kolkata
Date Format:             F j, Y        (January 5, 2024)
Time Format:             g:i a         (10:30 am)
Week Starts On:          Monday

[ Save Changes ]

Why "Anyone can register" is unchecked for now?

We will build a custom registration system in Phase 6. For now we do not want random people registering through the default WordPress registration page.


Settings → Reading

Go to Settings → Reading

Your homepage displays:
  ○ Your latest posts
  ● A static page        ← select this

Homepage:    [ Home   ▼ ]
Posts page:  [ Blog   ▼ ]    ← create a Blog page if not done

Blog pages show at most:    [ 10 ] posts
Search engine visibility:
[ ] Discourage search engines    ← keep unchecked

Important: If you have not created a "Blog" page yet — go to Pages → Add New → Title: Blog → Publish. Then come back here and assign it.


Settings → Discussion

Go to Settings → Discussion

DEFAULT POST SETTINGS
[✓] Allow link notifications (pingbacks and trackbacks)
[✓] Allow people to submit comments on new posts
    ← for StreamVault movies we will disable this per post

OTHER COMMENT SETTINGS
[✓] Comment author must fill out name and email
[ ] Users must be registered and logged in to comment
[✓] Automatically close comments after [ 14 ] days
[ ] Enable threaded (nested) comments
[✓] Break comments into pages with [ 50 ] comments per page

EMAIL ME WHENEVER
[✓] Anyone posts a comment
[✓] A comment is held for moderation

BEFORE A COMMENT APPEARS
[✓] Comment must be manually approved
[ ] Comment author must have previously approved comment

AVATARS
[✓] Show avatars
Default Avatar: Mystery Person

Settings → Media

Go to Settings → Media

IMAGE SIZES

Thumbnail size:
  Width:  [ 150 ]   Height: [ 150 ]
  [✓] Crop thumbnail to exact dimensions

Medium size:
  Max Width:  [ 300 ]   Max Height: [ 300 ]

Large size:
  Max Width:  [ 1024 ]   Max Height: [ 1024 ]

UPLOADING FILES
[✓] Organize my uploads into month and year-based folders

For StreamVault we will later register custom image sizes for movie posters:

Movie Poster:   300 x 450px  (2:3 ratio — standard poster)
Movie Banner:   1280 x 720px (16:9 ratio — hero banner)
Movie Card:     400 x 225px  (16:9 ratio — listing card)

We will add these in functions.php when building our theme.


Settings → Permalinks

Go to Settings → Permalinks — this is the most important setting

PERMALINK STRUCTURE

○ Plain          →  http://streamvault.local/?p=123
○ Day and name   →  http://streamvault.local/2024/01/01/sample/
○ Month and name →  http://streamvault.local/2024/01/sample/
○ Numeric        →  http://streamvault.local/archives/123
● Post name      →  http://streamvault.local/sample-post/
○ Custom         →  [ /%postname%/ ]

OPTIONAL

Category base:  [ ]    (leave empty — uses /category/)
Tag base:       [ ]    (leave empty — uses /tag/)

[ Save Changes ]

Always select Post name. This gives clean URLs:

Blog post:  /top-10-action-movies/
Page:       /about/
Movie:      /movies/inception/        (we set this up in Phase 4)
Genre:      /genre/action/            (we set this up in Phase 4)

Click Save Changes — WordPress updates .htaccess automatically.


Settings → Privacy

Go to Settings → Privacy

Privacy Policy Page:
  [ Create New Page ]  or  [ -- Select -- ▼ ]

Either create a new Privacy Policy page or select an existing one. This page is linked in WordPress's default login/registration footer.

For StreamVault — go to Pages → Add New → Title: Privacy Policy → add basic content → Publish. Then come back here and select it.


Part 6 — Hands On Tasks

Complete all of these before moving to the next module:

Task 1: Update Site Title to "StreamVault"
        Update Tagline to "Watch Movies & Web Series Online"
        Set Timezone to Asia/Kolkata
        Go to: Settings → General

Task 2: Set Homepage to static "Home" page
        Set Posts page to "Blog" page
        Go to: Settings → Reading

Task 3: Set Permalinks to "Post name"
        Go to: Settings → Permalinks → Save Changes

Task 4: Create a new user with role "Editor"
        Username: editor_test
        Email: editor@test.com
        Go to: Users → Add New

Task 5: Create a new user with role "Subscriber"
        Username: subscriber_test
        Email: subscriber@test.com
        Go to: Users → Add New

Task 6: Log out from admin → log in as editor_test
        Notice what options are missing from the dashboard
        Log back in as admin

Task 7: Create a Privacy Policy page
        Go to: Pages → Add New → Title: Privacy Policy
        Go to: Settings → Privacy → select this page

Summary

  • WordPress has 5 built-in roles — Administrator, Editor, Author, Contributor, Subscriber.
  • Roles are made up of individual capabilities — specific permissions.
  • Administrator has full access. Subscriber has minimal access.
  • For StreamVault — regular users will be Subscribers with custom capabilities added in Phase 6.
  • current_user_can('capability') is how you check permissions in code.
  • Username cannot be changed after creation — choose carefully.
  • Always set Permalinks to Post name on every fresh WordPress installation.
  • Settings → Reading → set a static homepage for StreamVault.
  • Settings → General → set site title, tagline, timezone correctly.

No comments:

Post a Comment

PHP & Laravel — Zero to Hero Episode 19: Eloquent ORM — Connecting Your Application to a Real Database

What Are We Doing in This Post? For the last three episodes our posts have been hardcoded arrays inside the controller. Every time you resta...