[00:00:20] Nathan Wrigley: Hello there and welcome once again to the WP Builds podcast. You've reached episode number 430, entitled Making WordPress more secure with user role management. It was published on Thursday, the 24th of July, 2025. My name's Nathan Wrigley, and I'll be joined by Robert Abela from MelaPress in a few short moments, but before that, a few bits of housekeeping.
If you like what we do at WP Builds, be sure to subscribe, wpbuilds.com/subscribe. All of the channels and places where we can email you, or connect to you on socials, they're all there. We'll send you two emails a week, basically one when this podcast episode is produced on a Thursday, and we also do a live show every Monday. It's called This Week in WordPress, and we will package that up and send an email out when it is published as a podcast on a Tuesday.
If you want to join us for that. It happens 2:00 PM UK time every Monday, and we'd love for you to join us for that. The comments make the whole show so much more engaging. wpbuilds.com/live at 2:00 PM every Monday, UK time.
The other thing to mention is that if you have a product or service in the WordPress space and you would like to get in front of a WordPress specific audience, well, we definitely do have that. You can find out more at wpbuilds.com/advertise, and here are three companies who did just that.
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro, the home of managed WordPress hosting that includes free domain, SSL, and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases. Find out more at go.me/wp Builds.
We're also helped out this week by Bluehost. Bluehost, redefine your web hosting experience with Bluehost Cloud. Managed WordPress hosting that comes with lightning fast websites, 100% network uptime, and 24 7 priority support. With Bluehost Cloud, the possibilities are out of this world. Experience it today at bluehost.com/cloud.
And keeping the lights on this week are also Omnisend. Omnisend, do you sell your stuff online? Then meet Omnisend, yes that Omnisend. The email and SMS tool that helps you make 73 bucks for every dollar spent. The one that's so good, it's almost boring. Hate the excitement of rollercoaster sales? Prefer a steady line going up? Try Omnisend today at omnisend.com.
And sincere thanks go to GoDaddy Pro, Bluehost and Omnisend for keeping the lights on over at WP Builds. Podcasts like this cannot happen without the grateful support of companies like that. And if you want to do that yourself once more, wpbuilds.com/advertise to find out more.
Okay. What have we got for you today? Well, it is Robert Abela. He's joining me from MelaPress, and we are having a chat today all about user role management. Robert's company MelaPress have got a whole suite of products in the WordPress space. They're all plugins that enable you to tighten up some part of your WordPress website.
And they have a new plugin, which helps you to figure out how you can granularly assign roles and permissions within WordPress. WordPress has this out of the box, but the implementation is not that granular, and so this plugin helps you to do that.
So the idea would be that, for example, if you have an editor, you might like to allow them to do specific things, but not other things, and you can really get into the weeds of that. So we talk about user role management, how it can be applied, how the plugin enables you to do that, what the justifications are from a security point of view, and so much more.
So here comes Robert Abela and I hope that you enjoy it.
I am joined on the podcast today by Robert Abella. Hello, Robert.
[00:04:13] Robert Abela: Hello Nathan. Thanks for having me. How are you?
[00:04:15] Nathan Wrigley: Good. Thank you. Robert and I were, were chatting just last week 'cause we had the, the Page Builder Summit and Robert and me press who you're gonna hear about in a moment.
We're, we're one of our top tier sponsors. So on a very personal level, I'm very, grateful, for that. Anybody who's not in the, WordPress space, maybe you don't know about Robert, he's into security and has got a range of plugins around that. But we're gonna talk about something a little bit different today.
We're gonna talk about, roles and managing roles and capabilities and all of those kind of things. But before we do, Robert, would you just spend a moment or two just introducing yourself so our listeners know who you are and why they should, listen to your council.
[00:04:57] Robert Abela: Thanks. Thanks Nathan. first of all, yeah, it was a pleasure sponsoring the Page Builder Summit. Really enjoyed, especially the networking session. It was great. yeah, who I am originally from Malta. but I live in the Netherlands. originally we started as a company called WP White Security.
But yeah, with a few years ago we were branded to press. I personally have been working, I've always worked for startups, software se, security startups, web. I used to work for companies which developed web application security scanner, email security gateways and stuff like that. So I've been.
I've also been systems engineer and had held different roles at different companies, like product manager, project manager, sales engineering. I've done a lot of different jobs through the years, which is very, useful experience because now that I run my own business, of course, I use all of it.
yeah. And for the last, 12, 13 years, we've, we started developing our first plugin, it's called WP Activ Activity Log, which is our flagship product, which basically keeps a log of all the things that users, all user actions and changes that do on your website. yeah, and since then we've developed also another few plugins.
We have W2 FA, and now we've started developing, actually, we just released the first updated few. Weeks or months ago, Mala Press role editor. So basically it's a plugin. Yeah, it's a plugin which you can use to manage WordPress user roles and plugins on WordPress. So we have been quite a few years actually working in security.
[00:06:35] Nathan Wrigley: I would just mention the URL for that actually. Mela Press is, as you might expect, it's M-E-L-A-P-R-E-S s.com. So mela press.com. If you go there, you're gonna see what Robert was saying. So the, the big hitter, the big plugin that they've got is WP Activity Log, which has Robert said, just keeps a track of absolutely everything that's happening on your website.
So that. When your client erases something and tells you that they didn't do it, you can go back to them and say, you did do it and we know you did it 'cause, because we've got it in a log somewhere. and then you've got WP two A. Obviously we all know what that is. Double Mela press, login security sort of speaks for itself.
And then capture for wp again, fairly straightforward, however. This is brand new. at least it is to my mind me press role editor and I'm gonna link into the show notes to the page, but it's mela press.com/wordpress. User roll editor, all with ENS in between. And, what is it? What does it do?
Why would we need it Over to you, Robert.
[00:07:38] Robert Abela: Very good question. So basically, when you. Manage WordPress website. of course, if you're a single user, you're the only administrator. But as your webs, as your team starts growing, you have different users accessing your website, doing different things. it really depends on the website, but for example, I don't know, like a news agency website.
You might have people who, log in to just post some guest blog posts, for example, or maybe some people who come in to. Edit already existing posts, and other, or some people who just manage the SEO aspect of the website, or some people who manage the administration, the technical aspect of the website.
And the same with, e-commerce. Some people who, for example, edit, the products, or for example, in case of agencies for example, it's very common. Agencies and the client, they have different access. The agency of course, manages the website, but the client, maybe they are allowed to update plugins but not install plugins.
So basically every user has a role on WebPress, and that shows basically determines what the user can and cannot do on that website. Now, and by default, WordPress has only 5, 4, 6 rows, which is administrator, editor, author. Subscriber and therefore I forgot how one, but anyway, contributor. Yeah, that's it.
Yeah. which are for a basic website are fine, but as I, as your website grows, of course. You need more different roles. first of all, I think one of the most common problems by the way, this is not just per in WordPress. I've seen it in the past when I was systems engineer. The easiest solution is of course to, from the security point of view, also management, is to give overall access, admin access.
'cause it's the easiest. It'll always work, works. Nobody can complain that they can't get it. Anything.
Exactly. But yeah, in terms. Not just security. Also in terms of accountability, also in terms of compliance. It's, the, it's a very wrong approach. So in an ideal world, there is what we call the principle of lease privileges. So a user, every user should have enough privileges to do their work, shouldn't have more privileges, but shouldn't have less.
So it should have exactly the right privileges that they need. To do the work. now what can you do to achieve that in WordPress? As the team grows, there are some plugins like yours, SEO, or WooCommerce, they create even easy, digital downloads. For example, when you install these plugins, they create their customer loads.
So you can say, for example, like if you're using easy digital downloads and you have a shop manager for example, you can assign a specific role for them. But yeah, also it's also still. Relatively limited. So what you can do with a plugin like Mal press is you can create custom rules. So let's say very common scenario, for example, agency and client.
So I would say I, I've never had an agency, but from what I see, for example, as an agency, of course I would have an full access to the website, but I don't want my customer. Even though it's their own website, I don't want them to like break things. it depends of course on the agreement, but I would say you would allow them to update plugins, maybe change some settings in the team, maybe.
Of course, change the delete update block posts, but that's it. You don't want them to change. For example, they were pre settings. You don't want them to install new plugins, for example, and there's no role for that. So you can use a plugin like Mela press there to actually. Create a new role for your client, for example, and specify what this user can and cannot do, in the way it works.
So basically in the WordPress score, there are already what we call capabilities. There's a, long list of capabilities. For example, of course the administrator can, can do all these, has all these capabilities. But the contributor role, of course, has very little capabilities. Maybe read articles, for example.
but they are for the user, they're not visible, so usually they're used programmatically. So what you can do, you can use a plugin like MAL as there and create a customer one, for example. you get to see the complete list of capabilities and specify is this user allowed to do this? Yes or no?
Is this user role allowed to do this? Yes or no? And you can configure basically. Create custom sim roles and Yeah. And configure what and what not this user can do. that is the most basic functionality.
[00:12:21] Nathan Wrigley: let's imagine a scenario, I don't know, let's imagine a supermarket. So a shop that we can all identify with you. you go into the supermarket and there's just loads of different kind of people hanging in, hanging out in there, working. there's the, general manager who's in charge of everything.
He's like the admin if you like, and then there's people who are employed to do the tills and they've got, the capabilities to do that, and they've had the training to do that. There are other people who are maybe stacking shelves and cleaning, and there are other people who are carrying out surveys and so on and so forth.
Each of those people has a prescribed role, and the boss would expect them to be able to do those things. But you're not gonna expect somebody whose job it is to, I don't know, fill the shelves. You're not gonna expect them necessarily to hop onto the till 'cause that's just not what they do. They don't have the training for that, but the till's there and they could.
If they were allowed to, if it was possible. And so in a sense, that's what we're dealing with here. the idea of locking down absolutely everything so that the people who should be able to do a thing can only do that thing. And I guess you work from the basis of. give everybody nothing and then build it up slowly.
So it's, obviously in the case of the admin who has everything, that's fine. But everything else, it's more a case of, okay, clear out all of their permissions and then slowly build them up until we figured it out. And then the idea is rather than having. Like an individual. So John, we don't create a user capability for John.
We create a type of user role, and then John fits into that. So he might be, I don't know, a, he might be a guy that works on the till or something like that. And then the next person who comes along who's got the exact same job as John, we assign them that permission. Okay. I think, have I got that about right?
[00:14:12] Robert Abela: that, that's exactly what it is. and that's what capabilities do. So basically in the core of WordPress, the I, these are, they're not visible for the user. the, they are called capabilities. So for example, let's assume Yeah. One can access, yeah. the, as you said, like the tail one can do the shelves at just, and you can using a plugin like ours, then you can see these capabilities.
And specify who can do what. Now, as you said, like I, in an ideal world, when you have a new user and you need a new role, so basically you, there are two options. For example, you can either copy an existing role and then modify it or start from scratch. When you start from scratch, that is the exactly, usually how we do it.
You start with an empty profile user, sorry, user role. So they have absolutely no privileges apart from logging in. So basically if you have a user with no privileges at all, once they log in, they literally can see their user profile page, nothing else, or the public facing side of the, website, the normal pages.
and slowly you can start assign them capabilities. a good thing about this, because for example, like we use it ourselves. 'cause of course as a team we have different people doing different things on the website. But when you install a plugin. Apart from some of them like yours. For them, as I mentioned before, creating their own rows.
Most of the, they, most of the plugins, they create their own capabilities, but user of, as I said, these are, users can see them. These are not visible for the user. So what you can do, let's say you install plugin, I don't know, shop checkout for example. Typically it has a, a number of, capabilities associated with this.
And once you install a plugin, you can see these capabilities. So if you want this user, for example. To change the settings of this plugin called shop checkout, you might find the capability called shop checkout settings, for example. So then you can create a user role. You can allow that user to that so you can allow that user role, that privilege.
So when you create a new user that has that user role, then they can access those settings of this plugin, for example. That's.
[00:16:19] Nathan Wrigley: Yeah, it if you've only got a website where you know, it's you and a couple of other people who are working on it, it may never occur to you that this, capability is really crucial. But obviously, if you've got a website where it's, I don't know, let's say using WooCommerce or something like that, and it's turning over millions of dollars worth of revenue each year.
You just can't have somebody going in and accidentally deleting something and then saying, oh, sorry, I didn't realize, you really do have to lock it down. And the capabilities that WordPress ship with, as we described earlier and, the five capabilities, they're really a blunt instrument.
they tackle. Broad uses in publishing blog posts, but that's about it. anything beyond that, any website that goes beyond that is, is, really out of scope for the default, profiles and the default user, capabilities and things like that. One of the things I wanna ask you is.
when I install, let's say that I install a third party plugin, so I'm just gonna make up a plugin so that we don't, so that we don't throw one under the bus. Let's say I install e-commerce shop plugin, would my job as a developer, I. Be to ship that plugin with custom rolls, and is that done in a sort of standard WordPress way so that your plugin could inspect them and see them?
Now, it may not necessarily understand what they are, but do plugin developers create those kind of capabilities in, in usual normal ways so that your plugin can immediately latch onto them? It's not like you have to contact the developer of all the plugins in the world and say. Okay. Tell me about what your plugin can do.
So over to you.
[00:18:06] Robert Abela: it's a very good question. So let's recap. So basically in WebPress there are a, there are capabilities and there user row and user rows basically, are a collection of. Capabilities, what capabilities can they can do? Now, there are big plugins which have, user roles, which create custom user roles on your WordPress, which means of course they have their own capabilities.
Ty not, it's not a standard as in, but it's becoming more and more common even though the plugins that they, that don't create user roles, at least they create their own custom privileges. So at least. sorry. Custom capabilities. So at least, with our plugin, you can see the custom capabilities and then you can create, so let's say you, so then you plug in like shop checkout, for example.
let's say it doesn't create custom rows, which is fine, but they still had some. Custom privileges for, capabilities. For example, checkout and edit products, those two. And then you can create, a UA user role and assign them, for example, checkout, which means, for example, I dunno, they can access orders and et cetera.
And you can create a user role. That has the capability, products or whatever, so at least they can edit the products. So it's purely like this. They're very simple. So you have a plugin, not, there's no as such standard, let's put this here. But ideally, yes, every plugin should create, should have a number of, should have a number of capabilities.
And in an ideal world, it should also have a number of, should create a number of user roles. With specific capabilities assigned to them, but the most common is capabilities. You see a lot of capabilities users, which create custom roles are not very common yet. But again, that's where our plugin comes in, because at least you have the capabilities and you can use our plugin to see these
[00:20:04] Nathan Wrigley: Yeah. Yeah. A again, let me just make sure I've understood that. So we've got two things we're talking about. We're talking about user roles and capabilities, but basically a role is a collection of capabilities. Given a name. So yeah, so we, we might have the ability to, read, post, delete, post, create your own post, delete your own posts, not delete other people's posts, this kind of thing.
[00:20:30] Robert Abela: At it own
[00:20:30] Nathan Wrigley: so there're all the capabilities and then we give that a name of, oh, I don't know, Editor in chief or
[00:20:36] Robert Abela: Yeah, exactly.
Yeah. so we build up these capabilities and we house them inside of a name and we call that a role. and WordPress, if a plugin ships with capabilities, it doesn't necessarily ship with roles because it doesn't have to.
[00:20:53] Nathan Wrigley: You can then assign them with your plugin to whatever you like. And I suppose even if a plugin does ship with roles, you could just. it, whatever you like with your plugin, you could just say, okay, I want the exact same privileges, sorry, the exact same capabilities. I'm just gonna call it something, much more sensible for the organization, that we've got that, I don't know, warehouse worker or something like that.
okay. I'm starting to figure it all out. So the next question I have is. Is this other capabilities for a novice WordPress user? Are they human readable? And I'm just gonna tell you a quick story and I told you this before we joined the call. I used to use Drupal, and I haven't used it for well over a decade, but e even a decade ago, Drupal core shipped with what I think Mela press, is doing your plugin is doing in that there was a UI.
Where you could go in, you could create custom roles and you could bind capabilities, and that's just something that Drupal has basically always had. But it was a question of going through and you would say, okay, for the warehouse role, I want this person to be able to read posts, tick, delete their own posts, tick, create, post, tick, dili, anybody's post, Nope.
I don't want that one. and it was this thing, and you would go through every role and every capability would be exposed and you could just tick. But the key thing was. The sentence that you ticked made sense to a human being. It was just like, can view such and such can delete such and such?
Whereas my exposure to the WordPress user capabilities is they're quite hard to understand because they don't follow human English. it's like WP underscore something, something underscore something. Is that still the case? Is it human readable or do you have to understand?
Like what's going on and dig into the plugins, architecture and things like that.
[00:22:55] Robert Abela: Very good question. So basically, yes, what you had in Drupal, in Drupal doesn't exist in, as in like it's the same concept. WebPress has builtin capabilities like Drupal has, but of course Drupal has as well. What our plugin is doing, had the editor to create user roles, which is a name to collect a number of capabilities.
now in terms of naming, yeah, some of them are readable. Some of them like it, it depends. But for example, when it comes to posts, they're pretty much straightforward. For example, you have edit posts, edit others posts. So edit posts for example, is you can edit your own post, but if you have edit others posts, it means you can also edit.
Post owned by other people, for example. And the role with underscore is just like usually one word, like edit, underscore post. What we've done in our plugin, in fact, is we've also added, to next to each role, we've added actually a sentence explaining what every role is. if you allowed this access, you can edit your own posts, only your own posts.
If you, if you allow this access, you can add also others posts. And so we've made, and we also. Have it, every role you, we have there is also like the human readable version. So usually the the slug of a capability is just an underscore for, as you said, a WP underscore something.
But there's also like the human readable name. So we're making sure that everything is human readable. All the names, there's a description next to each capability and stuff like that. Yeah. sorry, carry on. I, sorry.
Sorry. Yeah, it's okay. So at least basically when you are creating, like when you create a new user role, let's say you're on your own and you employee or someone is joining your team, and you want to give them, as you said, like you have some warehouse and stuff like, and you want to give them specific access.
So what you would do, even from the security point of view, you install our plugin, for example. You create a user or I, warehouse employee for example. And you will allow those capabilities in, I, in ideal world, give them the risk possible. They should try to do their work. And if they get stuck, see what capability they need.
And then of course you allow them, you start slowly, as you said in the beginning, you start from zero, that's the best. And you start building slowly rather than giving them everything and start taking away. 'cause it's much more difficult. So when you're creating a user role. Create a user role, the plugin, assign the new user as the role and give them the least possible privileges in the WordPress capabilities.
And as they need more, oh, I'm stuck. I cannot do this particular task. You have to find out which capability that is, and then you allow them access. Now the thing is not every plugin has all the capabilities you can imagine. Like we as a team are growing and sometimes we need something custom. So in that case, for example, you can.
Of course you need a bit of development experience, but you can create your own capability and write some code. So this capability is bound to that plugin, to the specific action. And then of course, you can use our plugin to assign the capability in the newly created capability you have created by development, to that particular research role.
Yeah,
[00:26:13] Nathan Wrigley: That, that sounds great. Yeah. So one of the things that, that I've used in many SaaS products is when you are, when you've got a team and you wanna set up something like this, you wanna have such and such a person can do invoices such and such a person cannot, but they can access this.
There's this, There's this concept of masquerading, like pretending to be that user for a short while so that you can go poking around the website and see, okay, is what I've ticked are the, does do the capabilities that I've assigned to this role, do they actually work? So it's not this back and forth of email.
No, it still doesn't work. Okay. Can, does, is there anything in, your plugin that allows you to temporarily view as a particular role so that you can. Just poke around in the site, or do you have to set up a different user account, go and log in an incognito window, something like that.
[00:27:03] Robert Abela: that? Yes. At the moment, yes, at the moment you have to create kind of thing like. You create a custom role, create a, user with that role and test with that role. But yeah, as I, the plugin is just, a few weeks or months old, so we've just started.
But yeah, this is, in fact, it's a very good suggestion. It's something. We have an hour to do list, but yet it's a long way We're starting, of course. So basically we started with the most basic, allowing users to create custom row and, adding specific, capabilities to the user row. And also, by the way, very other.
Two, like important things we've done in the plugins. Like we've, we've added the capability of allowing a user to have multiple roles because sometimes it's needed. Yeah. it's, it can be, 'cause you have, you might have users which might need something specific but not the other. So it's very important.
That is very important. So
[00:27:56] Nathan Wrigley: Oh, that's neat. So you could, oh, okay. So you can, you not just have the, so WordPress, you get a role that's, you, get this one role, but you've got it so that you can have multiple roles. And I'm imagining in that scenario, you could do so rather than having two roles, which have a lot, you could have two roles, which have a little bit.
And then you can combine them together. So you could have, ah, now you can get the shelf stacker and the till person, create a role for them and a role for them, and then combine them into this one employee. That's super neat. I like that a lot.
[00:28:28] Robert Abela: And something we've also done, we've added what we call to deny a capability, By default, you can only, usually you allow capabilities, but you've added the option to deny.
So what does it mean? So if you have to use their roles, for example, for a user, and one of them is deny the deny and in, in one user role, a capability is deny. And then the other one is allow, the deny always takes over for security reasons. so for example, I can think of an example right now of my, at
[00:28:57] Nathan Wrigley: Yeah, no, I get it. I can totally see how that would work. but basically, so if you've got collide, if you've got two roles and one permission collides, like one says you can have it and the other one specifically says, deny the deny wins
[00:29:11] Robert Abela: Exactly.
[00:29:12] Nathan Wrigley: that, no, that makes perfect sense because you wouldn't have put the di the deny is like a big hammer, isn't it?
And you wouldn't have thought about denying something unless it was really important.
[00:29:22] Robert Abela: Exactly. For example, in, in the case of a supermarket, I don't know, for example, if you are using every person sometimes helps a detail, for example, but also warehouse person, let's say. You would allow them to scan products, but you don't want to allow them, I don't know, to open the dryer.
There's the cache. They just only
yeah, but for example, in the warehouse role, you would deny access to the cache and, but the, usual till person would have, so a, as soon as you combine those roles together, as, a, the user has those to row, then of course deny takes over.
So once this person, the warehouse person is helping get the till. He can accept payments, but they cannot open the cash, the actual drawer where there's the cash. it is No, that makes perfect sense. I think that's a really neat feature. That's really neat because I can imagine what I would do is in the same way, like this is a CSS comparison, but it's not particularly good. But here we go. In the same way with something like Tailwind, CSS, you might have a class of bottom and a class of red and a class of, I don't know, rounded corners.
[00:30:20] Nathan Wrigley: You can have a red rounded corner button by combining those three, CSS classes. And in the same way you could build up the perfect role by having minimal user roles and saying, okay, they're A, B, and C. and in that way you can build up this much more complex thing. I guess that's more for the, yes. Some, yeah.
but yeah.
[00:30:42] Robert Abela: in terms of concept, yeah. that's how it works basically.
[00:30:44] Nathan Wrigley: Yeah. That's neat. Okay, so one of the questions that I wanted to ask about was, I guess you would have to play with this and I guess this masquerading thing would be a nice feature at some point in the future, but I guess it would be important for you, the site owner, I. To go and experiment, because I guess if you take things away or add things in, the UI of WordPress will change quite dramatically.
Like things that were once there will be missing. I don't know, like the save button might not function in the way that you want or the, you suddenly can't see the extra, or no, what? I can't access the content of a WordPress post, what's going on? So I suppose there would be a little bit of exploring to be done to figure out what that looks like and a good web.
Builder, website builder, web developer, when they pass this on to their clients, will, explain, okay, this person will be able to see this. Here's the screenshot of what they can see. This one will be able to see this because there are so many little bits and piece pieces dangling off the user roles and permissions in WordPress.
It's hard to keep up with what the UI would look like, like, in Indeed, in fact, to be honest. what one of the reasons why we started this plugin is, like the current, The current plugins that are on the market, they're good. they do their job, quite frankly, and they do it very well.
[00:32:06] Robert Abela: But as you, said, they are similar to Drupal. So you're going to create a new role and you just present it with a long matrix of capabilities
[00:32:13] Nathan Wrigley: And you can't read them anyway.
[00:32:14] Robert Abela: anyway. Exactly. So what we're doing, basically, for example, we added a wizard, so Oh, nice.
We have a, in the upcoming version, this, at the moment, the wizard is quite raw, I would say quite simple, but the upcoming version actually you can it ask you like, what would you like this, user role to do?
And for example, you say, I dunno, write blog posts. And based on the text it's going to start suggesting the typical capabilities allowed to that role. So we're helping, really helping the user. We're trying to make. Capabilities, basically user roles, like more user friendly, I would say. Although still, even though it's more user friendly, it's still more of a, developer slash agency slash some someone with experience, like for example, as if someone has a small bakery, small corner shop and they have the small website, their business is running the shop, most.
They need to learn a bit more about capabilities and roles to start like understanding the plugin. We're trying to make it as easy as possible, of course, but there's still a bit of a step there, so yeah, we definitely, developers, agencies, and yeah, like website builders. Anyone who has experience with plugins in store, like maintaining a website, they would understand it.
But the non-technical people, suppose like business owner who has like a small corner shop. Would find a bit, would find a bit hard, but that's what we're trying to do. That's why, sorry. That's why we have added the result and we're trying to make it a bit more, as you said, like we added the descriptions next to each, capability.
We've given a friend the name to each capability and we're doing this result where you can actually type in okay, I would like user, I don't know, we use WooCommerce and I would like them to edit orders, for example, or post. And it is going to start showing you the capabilities. Based on those, related to those type of keywords that you shoot.
I dunno, like WooCommerce edit orders and stuff like that. Yeah. So we're trying to make it a bit more easier and accessible
[00:34:18] Nathan Wrigley: That's really nice. I like that. I like the idea of guiding you through, a lot of plugins are doing those kind of things like form plugins and things. you begin a new form and it says something along the lines of, okay, what is the intention of this form?
[00:34:29] Robert Abela: Exactly.
[00:34:29] Nathan Wrigley: off you go.
Yeah. One of the, one of the curious things if you rewind the clock, WordPress basically used to have this content area and it was just the content. Now the block editor. goodness knows, there's just so many things going on in there. we've got paragraphs, you've got images, you've got all these different things.
and in the more recent past, user capabilities have been bound into the block editor, such that bits of blocks become available. So an example would be, I don't know, you can change background color on this thing, or you can change, put a featured image in the hero section, but you can't change.
The text. So you know, you can't change the UVP at the top of the, at the top of the hero, but you can change the background image or the font or whatever it may be. I'm guessing that creeps in here as well. I'm guessing that those capabilities can be mapped so that you can have not just control of what we would call capabilities.
you can access the cart, you can access the blog post, but more, you can change text, but you can't, that kind of thing. The block editor stuff is being exposed as well.
[00:35:36] Robert Abela: well. Yes, definitely. Something we would like to dive into, as you said, like in when you create, When you use, yeah, the modern block editor, you can create custom blocks and stuff, and custom blocks can be, for example, some users are allowed to, as you said, like create custom blocks or not use these custom blocks or edit, because some of them, of course, they have settings which you can edit.
So yes. yeah, basically user rules are the, yeah, they're like. As the name say, they allow you to specify what a user cannot and cannot do by specifying which capabilities. And the more flexibility there is there, the more capabilities we have, the more option, the more we include them everywhere, the better it is in terms of security and scalability.
'cause you have different Imagine you have a website like, an international, I don't know, news agency where you have, I don't, like a site network with God knows how many people, editors, writers, designers, everyone working together. And you cannot have, you cannot give access to everyone to do everything.
'cause as you said, it's not just about security, as you, but people make mistakes. it's also about, compliance, who can access what. So yeah, like the more we can use, the more roles are used, the more are. They are like taken care of and assigned properly the better things will be.
But yeah, it's still an technical administrator subjects more Yeah, it feels to me as if the process here is going.
going
[00:37:03] Nathan Wrigley: Decide on some typical roles that you want so that you know the order of it. I think I would do it in this order at least anyway, I'd look at my organization and think, what are the job titles? And then I would create roles that map to those job titles to do with the website.
And then I'd think, okay, what do these people individually need to do? And then I'd get a full list of all the capabilities that my website currently has. I try to map them probably on a piece of paper to start with, okay, they need this, they don't need it. And then I would build them all out.
Then of course, I suppose as the website matures and you hire new people and people get, people leave the company and what have you, you would wanna be stripping these away, people get promoted, they want more capabilities, people get demoted, they want less capabilities. Is it possible to, do that stuff in a sort of bulk way?
Can you, for example, assign. I don't know. Can you quickly change things in a so that this user role suddenly adopts this so that these people get mapped to this user role? Or do I have to do it all one at a time by logging into a user profile and things like
[00:38:08] Robert Abela: like that?
Not really, no. the, bulk of the work is d the early days when you are creating the user role and like testing the capabilities, which ones are just, but once You have the user roles, like everyone is working as like someone gets a promotion or demotion or someone lead it, then maintaining it is much easier.
You can always create like new roles and also like when you create a new role, you can always copy from an existing new role. So you just have to maybe
[00:38:33] Nathan Wrigley: Oh, yeah.
[00:38:34] Robert Abela: remove something, not all of it, or edit an existing role. So it's really depends, but yeah, The, bulk of the work is when you are creating the new rules, but once you are as sorted there, of course it's much easier to maintain them.
But it's very important, of course, to keep maintaining them because if you don't, not just new people joining in the team, growing or shrinking, it's also when you install new plugins, if you install new plugins, I don't know, you install the new plugin, to add popups to your website, who's going to have access to create the popups?
Who's going to have access to see the numbers and the reports of the popups? Who's going to have access to. Just edit popups, mark, for example, or just upload the artwork for the popups. So yeah, as you add new functionality to your website, you have to see, okay, who's going to do this? Will we have a dedicated user?
Or shall we, like someone else create a role just for this and then merge, for example? Yeah. Assign multiple roles to a user. So you have to, the planning stage is very important, otherwise, Yeah, I've got a bunch of WordPress plugins and SEO plugins are a good example. And when I, so I've had the SEO plugin installed for many years, and, but when I do something like delete a post, it says, it comes up with a little warning saying, we noticed you've deleted a post. Do you wanna make a redirect for that?
[00:39:50] Nathan Wrigley: The reason I'm saying that is because it noticed that I did that plugin, noticed that I did something which might affect the, capabilities of that plugin. And it's. Says to me, wait, hang on a minute. Do, you have, or do you intend to have something like that in Mela Plus? In other words, we notice you just added a new user.
Do you want to assign a role or we notice that you just added a new plugin, which seems to have some new capabilities. Do you want start mapping those to the roles that you've got? I dunno if you've got that or intend to do things
[00:40:20] Robert Abela: already, that's something I think it's unique. So I'm not sure. But yeah, we do that already. As soon as the plugin detects new capabilities, it'll alert you. Or as soon as it'll detect changes in user roles, like new user role created, or like two other plugins, some roles were edited or privileges were changed, it'll alert you right away.
and in fact. Because it's very important, like user role changes are done at database level. So even if you wanna install our, not our plug, any plugin that modifies changes and as user roles, you can change the user roles, for example, and remove the plugin. But those changes will apply. So we need to be very careful.
that's why before it, like the plugin will automatically, whenever it sends a change, it creates a backup. this is, was the last known backup. For example, we've noticed there were these two new capabilities added to your website. Would you like to do something about it? Would you like to assign them here or there?
And then of course you do. But yeah, the, we do alert people when there are new capabilities, new plugins install, new user rows, et cetera. And you alert them if they would like to do something about it. But we also create a backup just in case it was a mistake, for
know, I ask? So let's imagine a scenario where I've got me the admin, but I've also assigned a, a profile. To the capability of, I dunno, can add new plugins. but their job isn't to then map the capabilities of that plugin. So this is a bit meta. Now, now. would I, as the admin get notified that a new plugin had been installed that I need to map the user, capabilities to, you know what I'm saying?
[00:42:02] Nathan Wrigley: It's hard
[00:42:02] Robert Abela: Yes, of course. As an admin. Yeah, as an admin. As not gonna have access to everything. So as soon as you install a plugin that creates new capabilities, you will be alerted as well.
[00:42:12] Nathan Wrigley: Neat. Okay. So the users who, who need to know about that stuff, yeah, okay, you've authorized somebody to install a plugin, they've gone ahead and done that. And now you probably need to think about the, the user capabilities.
[00:42:25] Robert Abela: Exactly. And you don't show these notices to everyone. You show these notices to the people
[00:42:29] Nathan Wrigley: Yeah. Who need to know? Yeah. Okay. Yeah. Oh gosh.
This, seems great. it, it totally binds itself to your mission of. WordPress security I can see. but also this is just super convenient for anybody that's got a website that wants to play with this kind of thing. I'm actually on the.org page and people, me saying the words.org will make people go, Ooh, nice.
That sounds like it's free. so I'm on the plugin is called Meer Press Role Editor. You can go and find that. I won't read out the slog, just. Google it probably, we're on version 1.01 a minute, and, the fact that it's on the repo tells me there's free. Do
[00:43:07] Robert Abela: It's complete. For now it's
[00:43:09] Nathan Wrigley: I was gonna say, do you have, or are you intending to keep it free forever or are you gonna add in some features that are in a pro
[00:43:14] Robert Abela: No, we will. in, in terms of, our, whenever we, not just with this plugin, with all the other plugins, our commitment is like, whenever we give out something for free, it'll remain for free.
the most we can do, even with this one, we do have some plans to add more features to the free edition, but there will be some features which will be available via premium plan, for example. But whatever is free now will never be removed. It'll remain free. So what you can do, what we always do.
our, our aim was always, if you look at all our plugins, like even like to FA, it's a fully working to a solution plugin. You can use it on any website, literally. It's a, the free plugin. The premium plans usually are more like, features, which usually are used by, businesses or to automate or to improve productivity.
For example, I dunno, like to fa you get like the hardware keys you get I don't know, Yeah, some automation reports, but the plugin remain for free. And this one, the Mela Press role editor is the same. It'll remain for free. We have more features coming up in the free edition, way more features. we will be, of course, adding up more things and we'll see.
It depends how it performs, but yeah, if it keeps on growing and going well, doing well, then there are some features, of course, like simple stuff. For example, as I said, the plugin keeps a backup up. Whenever you do any change in the user role capabilities, just for precaution reasons, even technical reasons, just in case it was a change you didn't intend to do, you can always refer it back, but right now we don't have any plans for premium features, but let's say, I dunno, in the free edition, it'll keep it back up or two.
And then you say, listen, if you want the premium, if you want to keep 20 backups, 20 different backups, then you have to pay for the premium. But the free edition will always be. A good enough plugin to do what you need, frankly. And the main scope of this plugin is create custom user roles, assign multiple user roles, create casting capabilities, and that's about it.
And then of course we'll see about the
rest. I think we've probably covered most of what it does. So you know, dear listener, if you've ever pondered, why the heck can't I make my users have like granular control of my WordPress website? Now you can, and Melo Press have got your back. So once more, if you go to the repo, just search for Melo Press role editor.
[00:45:30] Nathan Wrigley: Just those three words, it is brand spanking you and, yeah. Perfect. So I'm guessing at the minute you're also listening to user feedback in a really, in a really eager way because you wanna know what people want in it. in it. where can people contact you, Robert, if they wish to get in touch?
[00:45:49] Robert Abela: touch? Yes. yeah, the website, through our website.com. There's a contact form everyone, every email by the way is read by someone in our team. I'm also on LinkedIn, Robert a on Twitter, Robert AB on Google. It's a bit of a battle for my name because the.
Prime Minister of Malta, where I'm from is also Robert
[00:46:11] Nathan Wrigley: Oh, really?
[00:46:12] Robert Abela: yeah, Oh wow. Okay.
yeah. In fact my Twitter is Robert AB at Roberta. so I receive a lot of direct by. I was also a couple of times tagged by mistake by BBC, for example.
[00:46:26] Nathan Wrigley: That's hysterical.
[00:46:28] Robert Abela: Yeah. but yeah, it's basically, you find LinkedIn, Twitter on our website.
Yeah.
[00:46:34] Nathan Wrigley: my trick for doing that with names that are just, so common is just to a, is do a Google search and then just attach wp I exactly what I do.
And, it just seems to filter out all the bits and pieces that I
[00:46:47] Robert Abela: Yes. As, as long as you had WordPress. I, do it a lot as well. WordPress, then it shows you.
[00:46:52] Nathan Wrigley: yeah, it collides with the right person, with the right search query. Okay, so there we go. Mela Press has got your back. If you want custom user roles and capabilities, go check it out. Robert Abella, thank you so much for talking to me today.
[00:47:03] Robert Abela: to me today. Thank you very much for your time, Nathan. Thanks. Thanks for having us.
[00:47:07] Nathan Wrigley: Okay, that's all we've got time for this week. I really hope that you enjoyed that. If you did, head to wpbuilds.com, search for episode number 430, and leave us a comment there. Well, leave us a comment there, even if you didn't, we would very much appreciate that. But thank you to Robert for joining me this week.
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro, the home of managed WordPress hosting that includes free domain, SSL, and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases. Find out more at go.me/wp Builds.
We're also helped out this week by Bluehost. Bluehost, redefine your web hosting experience with Bluehost Cloud. Managed WordPress hosting that comes with lightning fast websites, 100% network uptime, and 24 7 priority support. With Bluehost Cloud, the possibilities are out of this world. Experience it today at bluehost.com/cloud.
And keeping the lights on this week are also Omnisend. Omnisend, do you sell your stuff online? Then meet Omnisend, yes that Omnisend. The email and SMS tool that helps you make 73 bucks for every dollar spent. The one that's so good, it's almost boring. Hate the excitement of rollercoaster sales? Prefer a steady line going up? Try Omnisend today at omnisend.com.
And sincere thanks go to GoDaddy Pro, Bluehost and Omnisend for keeping the lights on over at WP Builds. Podcasts like this cannot happen without the grateful support of companies like that.
Okay, almost at the end, nearly time for the cheesy music. Just a couple of things before that. Don't forget, we have a podcast episode on a Thursday, and a This Week in WordPress show, which comes out on Tuesday, but is recorded on a Monday. Join us for that, wpbuilds.com/live at 2:00 PM UK time.
And also if you want to get your product or service in front of a WordPress specific audience, wpbuilds.com/advertise to find out more.
Okay, I'm at the very end. It's time for me to begin fading in some cheesy music, and all that I need to do now is say stay safe. Have a good week. Bye-bye for now.
