How to Restrict Content by User Role in WordPress? | WP Page Restriction Plugin

Developing and managing content for businesses (small or big) in WordPress is a tedious task especially when it is about content access / restriction in the website(s). Page Restriction, Post Restriction and other content restriction in WordPress is useful for completely restricting pages or posts or specific blocks inside a page or post. With the help of the WordPress (WP) Page Restriction plugin, you can Restrict pages / posts and protect content on your WordPress site from unauthorized access.

Restrict Specific Pages/Posts

 How to protect WordPress content by making pages and posts to limit access to logged-in users?

• To make the Pages private to only logged-in users, go to the Page Access tab, and tick the checkboxes for the pages under the Make Page Private column to restrict the users who are not logged in.

• Click on Save Configuration once the required pages that are to be restricted, are selected.

• Similarly, to make the Posts private to only logged-in users, go to Post Access tab, select the pages under the Make Post Private column to restrict the users who are not logged in and click on Save Configuration.

---

Restrict Pages / Restrict Posts by user roles

  How to give content access to pages or posts to only specific WordPress Roles?

• To give access to Pages based on WordPress roles, navigate to the Page Access tab, and under Page Restrictions, enter the role(s) of a user who will be allowed to access the pages. You can also restrict pages for custom roles. (By default all pages and posts are accessible to all users irrespective of their roles).
• Click on Save Configuration once the required roles have been entered.

• Similarly, to give access to Posts based on WordPress roles, the roles can be entered in the Post Access tab under Post Restrictions.

---

Restrict all Pages/Posts

 How to protect content of all the pages and posts by making them private so that only logged in users can access them?

• To make all the Pages private and force login for pages in WordPress, go to the Page Access tab and under the Global settings for all pages section, enable the Make all Pages Private option

• Similarly, to make all the Posts private, go to the Post Access tab and under the Global settings for all posts section, enable the Make all Posts Private option.

• Enabling both these toggles (Make all Pages Private and Make all Posts Private) would restrict unauthorized access to all your pages and posts.

 How to protect all the WordPress pages and posts behind the WordPress login page?

• To protect all the Pages, go to the Page Access tab and under the Global settings for all pages section, enable the Make all Pages Private option

• Now, scroll down to the Restricted Content Behaviour section and select the radio button for the Redirect to Login Page option.

• Similarly, to protect all the Posts behind the WordPress login Page, go to the Post Access tab and under the Global settings for all posts section, enable the Make all Post Private option whch will restrict post and force login in WordPress.

• Then scroll down to the Restricted Content Behaviour section and select the radio button for the Redirect to Login Page option.

• This would protect all your pages, posts and restrict content behind the WordPress login page such that the users would be automatically redirected to the login page on accessing any page or post on your site.

---

Restrict Block Access based on user roles

 How to provide block/content access of any page based on user roles?

To restrict the specific content or block of any page, follow the below steps as mentioned in Block Access tab of the Page and Post Restriction plugin:

• You can allow only logged in users to view specific content on a page by using the shortcode [restrict_content] [/restrict_content].
• Content between the opening and closing tag will not be visible to users who are not logged in.
• Use the shortcode [restrict_content role=""] [/restrict_content] to finegrain this solution further for allowing only specific user roles to view specific content on a page.
• The content between the opening tag [restrict_content role=""] and closing tag [/restrict_content] will be visible to only the roles that are assigned to role attribute.

---

Restrict Category Access based on User Roles

 How to enable category access based on WordPress User Roles?

• To provide category wise access based on WordPress user role, navigate to Category Access tab.
• Select Number of items per page to be displayed from dropdown.
• Enter the roles next to each category, separated by semicolon (;), to indicate who can see the pages/posts in that category.
• Make sure the corresponding checkboxes are checked.
• Click on the Save Configuration button.

---

Restrict Custom Post Types

 How to restrict posts of a custom post type?

• To apply post restriction on custom posts, go to the Post Access tab. Select your Custom Post Type from that Select type of post dropdown.
• Now, select the posts under the Make Post Private column to restrict your posts of custom type. (By default all custom post types are accessible to all users).

---

Restricted Content Behaviour

 What happens when a non logged-in user tries to access a restricted page or post?

• Let’s say, you have made configurations in the WordPress Page Restriction / Post Restriction plugin to restrict “Page A” so that only logged in users can access that page. Now, if a user who is not logged into the WordPress site tries to access Page A, by default the user would be shown a WordPress error page with the message “Oops! You are not authorized to access this”.

• You can change this Restricted Content Behaviour for pages under the Restrict Options before Login in the Page Access tab. Similarly, for changing this behaviour for posts, you can navigate to the Restrict Options before Login section in the Post Access tab.

For a user who is not logged in, the behaviour for the restricted content can be one of the following:

• Message on display - Using this option, the default error message can be changed as per requirement. To modify the error message, you can refer the steps mentioned here.
• Redirect to Page Link - The user can be redirected to any specified URL.
• Redirect to Login Page - The user is automatically redirected to the default WordPress login page, making the authentication and access process easy for the user.
• Single Sign-On - This option can be used to automatically redirect the user to your Identity Provider for SSO as configured in the WordPress SAML SSO Plugin or WordPress OAuth SSO Plugin.

 What happens when a user tries to access a restricted page or post for their user role?

• Let’s say, in the WordPress Page and Post Restriction plugin, you have entered the value “Administrator; Author” in the input box Enter Roles who can view this Page for the “Page A” so that only the user with roles as Administrator and Author in WordPress can access that page. Now, if a user who has a role as Subscriber in the WordPress site, tries to access Page A after login, by default the user would be shown a WordPress error page with the message “Oops! You are not authorized to access this”.
• You can change this Restricted Content Behaviour of pages under the Restrict Options after Login section in the Page Access tab. Similarly, for changing this behaviour for posts, you can navigate to the Restrict Options after Login section in the Post Access tab.

For a user who does not have the role to access a page or post as configured in the plugin, the behaviour to restrict content can be the following:

• Message on display - Using this option, the default error message can be changed as per requirement. To modify the error message, you can refer the steps mentioned here.
• Redirect to Page Link - User can be redirected to any specified URL, for example, a custom error page.

---

Restrict user by redirecting to custom error message / page

 How to redirect a restricted user to a custom error page to protect content of that page?

Redirect a non logged in user to a custom error page

• If you want to redirect a user who is not logged in to a custom error page, then you can use the Restrict Options before Login under the Restricted Content Behaviour section in the Page Access/Post Access Tab.
• In the Restrict Options before Login, select the Redirect to Page Link option and enter the custom error page URL where you want to redirect the non logged in users.
• Click on Save and Test URL to confirm the page where user would be redirected.

• Once this is configured, if a non logged in user tries to access a restricted page or restricted post, the user would be redirected to a custom error page as configured.

Redirect a user who does not have the required role to a custom error page

• If you want to redirect the user (who does not have the required role after login to access the pages) to a custom error page, then you can use the Restrict Options after Login under the Restricted Content Behaviour section in the Page Access/Post Access Tab.

• In the Restrict Options before Login, select the Redirect to Page Link option and enter the custom error page URL where you want to redirect the non logged in users.
• Click on Save and Test URL to confirm the page where user would be redirected.
• Once this is configured, the users who do not have the role would be redirected to a custom error page as configured.

 How to add a custom message for the restricted users?

Custom error message to a non logged in user

• If you want to show a custom error message to a user who is not logged in, then you can use the Restrict Options before Login under the Restricted Content Behaviour section in the Page Access/Post Access Tab.
• In the Restrict Options before Login, select the Message on Display option and enter the message you want to display for the restricted users.
• Click on Save and Preview to see how the message would be displayed.

• Once this is configured, if a non logged in user tries to access a restricted page/post, the user would be shown a custom error message screen as shown in the screenshot below.

Custom error message to a user who does not have the required role

• If you want to show a custom error message to a user who does not have the required role after login to access the pages, then you can use the Restrict Options after Login under the Restricted Content Behaviour section in the Page Access/Post Access Tab.

• In the Restrict Options after Login, select the Message on Display option and enter the custom error page URL where you want to redirect the non logged in users.
• Click on Save and Preview to see how the message would be displayed.
• Once this is configured, the users who do not have the role would be shown a custom error message screen as shown in the screenshot below

---

Redirect to Single Sign-On (SSO)

 How does Page Restriction Plugin work with the WordPress SAML SSO Plugin?

• The WordPress SAML SSO Plugin enables Single Sign-On on the WordPress site with the Identity Provider (for example - Okta, Azure AD, Azure B2C, Salesforce, ADFS, Keycloak etc.) configured in the plugin. Page Restriction Plugin along with the WordPress SAML SSO Plugin allows you to protect specific pages/posts on the site behind Single Sign-On.
• Let’s say, you have restricted “Page A” behind SSO. This would mean when the user tries to access Page A, the user would be automatically redirected to the Identity Provider (as configured in the WP SAML SSO Plugin) login page for authentication. After successful authentication by the Identity Provider (IDP), the user would be logged into the WordPress site and given access to Page A.
• To configure the SSO options for pages/posts, navigate to the Page Access / Post Access Tab and tick the checkboxes for the pages under the Make Page Private column to restrict the users who are not logged in.

• Now navigate to the select the Restricted Content Behaviour section and under the Restrict Options before Login, select the Single Sign-On option to redirect the restricted users to the IDP login page.

---

Miscellaneous

 How to assign parent page restriction to child pages?

• To assign restrictions given to parent pages to child pages, go to the Page Access tab.
• Under the Auto-assign Parent Configuration to Child Pages column, select the option to assign restrictions as of parent pages to the child pages. By ticking the checkbox, the child pages under the selected parent page will be automatically assigned the parent configuration
• Click on Save Configuration once the required pages are selected.


NOTE: To assign the configurations of the parent page to every child page by default, the toggle for Auto-assign Parent Configurations to all Child Pages in Global settings for all pages section can be enabled.

Conclusion

The WordPress (WP) Page and Post Restriction plugin limits the content access to the pages, posts, and blocks of your WordPress site based on the User Roles. This plugin ensures a seamless process to achieve role based page and post restriction in your WordPress site, enabling you to administer or manage your users in terms of access to your WordPress site.

If you are looking for anything which you cannot find, please drop us an email on samlsupport@xecurify.com

Additional Resources

• WordPress (WP) Page and Post Restriction
• Configure WordPress (WP) Page Restriction
• What is Page and Post Restriction ?
• What is Single Single Sign-On?
• What is SAML?
• Frequently Asked Questions (FAQs)