Part 1 — Users in WordPress
What is a User in WordPress?
Every person who has an account on your WordPress site is a user. Users are stored in the wp_users table in the database.
Each user has:
- Username
- Password (hashed, never stored as plain text)
- Email address
- Display name
- Role (what they are allowed to do)
- Registration date
Extra user data like first name, last name, bio, profile picture URL is stored in wp_usermeta table.
Part 2 — User Roles
This is the most important part of this module. WordPress has a Role-Based Access Control (RBAC) system — exactly like Laravel's Gates and Policies but built into the core.
Every user has exactly one role. The role determines what that user can and cannot do on the site.
WordPress has 5 built-in roles:
Role 1 — Administrator
Access Level: FULL ACCESS — everything
An Administrator can:
✓ Install, activate, delete themes and plugins
✓ Create, edit, delete ANY post or page (including other users' content)
✓ Manage all users — create, edit, delete, change roles
✓ Access all Settings
✓ Manage menus, widgets, customizer
✓ Import and export content
✓ Manage site options
Who should be Administrator? Only the site owner and lead developer. Never give Administrator access to content writers or clients unless absolutely necessary.
Role 2 — Editor
Access Level: Full content control, no site management
An Editor can:
✓ Create, edit, publish, delete their OWN posts
✓ Create, edit, publish, delete OTHER users' posts too
✓ Manage categories and tags
✓ Moderate and manage ALL comments
✓ Upload files to Media Library
✓ Manage pages
✗ Cannot install plugins or themes
✗ Cannot access Settings
✗ Cannot manage users
Who should be Editor? A senior content manager who oversees all content — reviews and publishes other writers' articles.
Role 3 — Author
Access Level: Manage only their own content
An Author can:
✓ Create, edit, publish, delete their OWN posts
✓ Upload files to Media Library
✗ Cannot edit or delete OTHER users' posts
✗ Cannot manage pages
✗ Cannot manage categories/tags
✗ Cannot install plugins or themes
✗ Cannot access Settings
Who should be Author? A regular content writer who writes and publishes their own articles independently.
Role 4 — Contributor
Access Level: Write content but cannot publish
A Contributor can:
✓ Create and edit their OWN posts (drafts only)
✓ Submit posts for review
✗ Cannot publish posts — needs Editor/Admin approval
✗ Cannot upload images to Media Library
✗ Cannot edit already published posts
✗ Cannot manage pages, categories, tags
Who should be Contributor? A guest writer or new team member whose content needs to be reviewed before going live.
Role 5 — Subscriber
Access Level: Minimal — only their own profile
A Subscriber can:
✓ Log in to the site
✓ Read content (same as a non-logged-in visitor)
✓ Edit their own profile (name, password, email)
✗ Cannot create any content
✗ Cannot access admin panel features
✗ Cannot upload files
Who should be Subscriber? Regular registered users of your site. For StreamVault — anyone who signs up to use the platform will be a Subscriber by default.
Role Comparison Table
|
Capability |
Admin |
Editor |
Author |
Contributor |
Subscriber |
|
Manage
plugins/themes |
✓ |
✗ |
✗ |
✗ |
✗ |
|
Manage users |
✓ |
✗ |
✗ |
✗ |
✗ |
|
Access
Settings |
✓ |
✗ |
✗ |
✗ |
✗ |
|
Edit others'
posts |
✓ |
✓ |
✗ |
✗ |
✗ |
|
Publish own
posts |
✓ |
✓ |
✓ |
✗ |
✗ |
|
Create draft
posts |
✓ |
✓ |
✓ |
✓ |
✗ |
|
Upload media |
✓ |
✓ |
✓ |
✗ |
✗ |
|
Read content |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Edit own
profile |
✓ |
✓ |
✓ |
✓ |
✓ |
Part 3 — Managing Users
Viewing All Users
Go to Users → All Users
+----------------------------------------------------------------+
| All Users Administrator(1) Subscriber(0) |
|----------------------------------------------------------------|
| [ ] Username Name Email Role Posts |
|----------------------------------------------------------------|
| [ ] admin — admin@test.com Administrator 3 |
+----------------------------------------------------------------+
At the top you see filter links — click Administrator, Editor, etc. to filter by role.
Creating a New User
Go to Users → Add New
+------------------------------------------+
| Add New User |
|------------------------------------------|
| Username: [ ] |
| Email: [ ] |
| First Name: [ ] |
| Last Name: [ ] |
| Website: [ ] |
| Language: [ Site Default ▼ ] |
| Password: [ Auto-generated ] |
| [✓] Send User Notification |
| Role: [ Subscriber ▼ ] |
| |
| [ Add New User ] |
+------------------------------------------+
Fields explained:
|
Field |
Purpose |
|
Username |
Cannot be
changed after creation — choose carefully |
|
Email |
Must be
unique — used for login and notifications |
|
Password |
Auto-generated
strong password or set your own |
|
Send User
Notification |
Emails the
new user their login details |
|
Role |
What this
user is allowed to do |
Editing a User
Go to Users → All Users → hover over a username → click Edit
Or go to Users → Your Profile to edit your own account.
+------------------------------------------+
| Edit User |
|------------------------------------------|
| PERSONAL OPTIONS |
| [ ] Visual Editor — disable |
| [ ] Show toolbar when viewing site |
| Language: [ Site Default ▼ ] |
| |
| NAME |
| Username: admin (cannot change) |
| First Name: [ ] |
| Last Name: [ ] |
| Nickname: [ admin ] |
| Display name publicly as: [ admin ▼ ] |
| |
| CONTACT INFO |
| Email: [ admin@test.com ] |
| Website: [ ] |
| |
| ABOUT YOURSELF |
| Bio: [ ] |
| Profile Picture: (via Gravatar) |
| |
| ACCOUNT MANAGEMENT |
| New Password: [ Generate Password ] |
| |
| ROLE |
| Role: [ Administrator ▼ ] |
| |
| [ Update User ] |
+------------------------------------------+
Changing a User's Role
Method 1 — From All Users list:
Select user checkbox → Bulk Actions → Change role to... → Apply
Method 2 — From Edit User screen:
Scroll down to Role dropdown → change → Update User.
Method 3 — Quick Edit:
Hover over username → Quick Edit → change role inline.
Deleting a User
Hover over a username in the Users list → click Delete
WordPress asks what to do with their content:
What should be done with content owned by this user?
○ Delete all content
● Attribute all content to: [ admin ▼ ]
Always choose "Attribute all content" — so their posts are not deleted but transferred to another user.
Part 4 — Capabilities System
Roles are made up of individual capabilities. A capability is a specific permission like:
edit_posts → can edit posts
publish_posts → can publish posts
delete_posts → can delete posts
manage_options → can access Settings
install_plugins → can install plugins
manage_users → can manage other users
upload_files → can upload to Media Library
edit_others_posts → can edit other users' posts
When you assign a role to a user, they get all capabilities that role includes. In Phase 6 and 7, we will:
- Create a custom "StreamVault Member" role
- Assign specific capabilities like accessing watchlist, rating movies
- Check capabilities in code using
current_user_can()
if (current_user_can('edit_posts')) {
echo 'You can edit posts';
}
if (current_user_can('manage_options')) {
echo 'You are an admin';
}
Part 5 — Important Settings Configuration
Now let us go through every important Settings section and configure StreamVault properly.
Settings → General
Go to Settings → General
Configure exactly like this:
Site Title: StreamVault
Tagline: Watch Movies & Web Series Online
WordPress Address (URL): http://streamvault.local
Site Address (URL): http://streamvault.local
Administration Email: admin@test.com
Membership:
[ ] Anyone can register ← uncheck for now
New User Default Role: Subscriber ← keep this
Timezone: Asia/Kolkata
Date Format: F j, Y (January 5, 2024)
Time Format: g:i a (10:30 am)
Week Starts On: Monday
[ Save Changes ]
Why "Anyone can register" is unchecked for now?
We will build a custom registration system in Phase 6. For now we do not want random people registering through the default WordPress registration page.
Settings → Reading
Go to Settings → Reading
Your homepage displays:
○ Your latest posts
● A static page ← select this
Homepage: [ Home ▼ ]
Posts page: [ Blog ▼ ] ← create a Blog page if not done
Blog pages show at most: [ 10 ] posts
Search engine visibility:
[ ] Discourage search engines ← keep unchecked
Important: If you have not created a "Blog" page yet — go to Pages → Add New → Title: Blog → Publish. Then come back here and assign it.
Settings → Discussion
Go to Settings → Discussion
DEFAULT POST SETTINGS
[✓] Allow link notifications (pingbacks and trackbacks)
[✓] Allow people to submit comments on new posts
← for StreamVault movies we will disable this per post
OTHER COMMENT SETTINGS
[✓] Comment author must fill out name and email
[ ] Users must be registered and logged in to comment
[✓] Automatically close comments after [ 14 ] days
[ ] Enable threaded (nested) comments
[✓] Break comments into pages with [ 50 ] comments per page
EMAIL ME WHENEVER
[✓] Anyone posts a comment
[✓] A comment is held for moderation
BEFORE A COMMENT APPEARS
[✓] Comment must be manually approved
[ ] Comment author must have previously approved comment
AVATARS
[✓] Show avatars
Default Avatar: Mystery Person
Settings → Media
Go to Settings → Media
IMAGE SIZES
Thumbnail size:
Width: [ 150 ] Height: [ 150 ]
[✓] Crop thumbnail to exact dimensions
Medium size:
Max Width: [ 300 ] Max Height: [ 300 ]
Large size:
Max Width: [ 1024 ] Max Height: [ 1024 ]
UPLOADING FILES
[✓] Organize my uploads into month and year-based folders
For StreamVault we will later register custom image sizes for movie posters:
Movie Poster: 300 x 450px (2:3 ratio — standard poster)
Movie Banner: 1280 x 720px (16:9 ratio — hero banner)
Movie Card: 400 x 225px (16:9 ratio — listing card)
We will add these in functions.php when building our theme.
Settings → Permalinks
Go to Settings → Permalinks — this is the most important setting
PERMALINK STRUCTURE
○ Plain → http://streamvault.local/?p=123
○ Day and name → http://streamvault.local/2024/01/01/sample/
○ Month and name → http://streamvault.local/2024/01/sample/
○ Numeric → http://streamvault.local/archives/123
● Post name → http://streamvault.local/sample-post/
○ Custom → [ /%postname%/ ]
OPTIONAL
Category base: [ ] (leave empty — uses /category/)
Tag base: [ ] (leave empty — uses /tag/)
[ Save Changes ]
Always select Post name. This gives clean URLs:
Blog post: /top-10-action-movies/
Page: /about/
Movie: /movies/inception/ (we set this up in Phase 4)
Genre: /genre/action/ (we set this up in Phase 4)
Click Save Changes — WordPress updates .htaccess automatically.
Settings → Privacy
Go to Settings → Privacy
Privacy Policy Page:
[ Create New Page ] or [ -- Select -- ▼ ]
Either create a new Privacy Policy page or select an existing one. This page is linked in WordPress's default login/registration footer.
For StreamVault — go to Pages → Add New → Title: Privacy Policy → add basic content → Publish. Then come back here and select it.
Part 6 — Hands On Tasks
Complete all of these before moving to the next module:
Task 1: Update Site Title to "StreamVault"
Update Tagline to "Watch Movies & Web Series Online"
Set Timezone to Asia/Kolkata
Go to: Settings → General
Task 2: Set Homepage to static "Home" page
Set Posts page to "Blog" page
Go to: Settings → Reading
Task 3: Set Permalinks to "Post name"
Go to: Settings → Permalinks → Save Changes
Task 4: Create a new user with role "Editor"
Username: editor_test
Email: editor@test.com
Go to: Users → Add New
Task 5: Create a new user with role "Subscriber"
Username: subscriber_test
Email: subscriber@test.com
Go to: Users → Add New
Task 6: Log out from admin → log in as editor_test
Notice what options are missing from the dashboard
Log back in as admin
Task 7: Create a Privacy Policy page
Go to: Pages → Add New → Title: Privacy Policy
Go to: Settings → Privacy → select this page
Summary
- WordPress has 5 built-in roles — Administrator, Editor, Author, Contributor, Subscriber.
- Roles are made up of individual capabilities — specific permissions.
- Administrator has full access. Subscriber has minimal access.
- For StreamVault — regular users will be Subscribers with custom capabilities added in Phase 6.
current_user_can('capability')is how you check permissions in code.- Username cannot be changed after creation — choose carefully.
- Always set Permalinks to Post name on every fresh WordPress installation.
- Settings → Reading → set a static homepage for StreamVault.
- Settings → General → set site title, tagline, timezone correctly.