Creating New Groups
User Groups gives you the ability to create custom User Groups to fit your specific site needs. Creating a new user group is a simple and straightforward process with the customizable User Groups feature. To create a new User Group, navigate to Security > Settings > User Groups and click the "+" icon.
Now that the new User Group is created, you can select which features you would like to be enabled for that User Group.
To name the new User Group, click Edit Group beside Features, and enter the name in the input box under Group Name. I have named this example Wizards. Once you have named the new User Group, it is time to add the roles and/or users to the group. For this example, only Zelda has been added to the User Group. When you have selected the desired roles and users, click Save at the bottom of the module.
Add Roles to Group by Capabilities (Preferred Method)
When creating a User Group, the most preferred method is to create a new group using the Capabilities checkbox. In the event that a new group is created by the installation of a plugin (WooCommerce, for example), any user with those capabilities will be included in this group. More information can be found in the Specific Examples section later in this article. The standard User Roles are Administrator, Editor, Author, Contributor, and Subscriber.
After the group is created, you have the ability to select which Security features will be enforced on the users in that group. It is highly recommended to enable Two-Factor Authentication for any User Group that includes users or groups with the ability to make changes on the site.
Add/Remove Users in Group
You have the ability to pick and choose which users will be in each group. Say you have one user with the Author role that you would like to have Administrator capabilities but do not want all Author roles to have Administrator capabilities. In this case, you could go to the Administrator User Group, scroll down to the Select Users section, and select the singular user you would like added to that group.
To remove users from the selected group, simply scroll down to the Selected Users section and click the "X" icon next to the user you wish to remove.
Making Changes to Multiple Groups
It is possible to make changes to multiple groups at once. You can edit multiple User Groups at the same time by clicking Edit Multiple Groups.
For instance, you could have each member in the Editor, Author, and Contributor roles be required to use strong passwords. To do this, simply select the User Groups you want to be impacted and click the Strong Passwords box, then Save the settings.
Changing Group Names
The standard group names are Administrator, Editor, Author, Contributor, and Subscriber. You can change these group names to anything you would like by navigating to Security > Settings > User Groups. Select the User Group that you would like to change the name of, click Edit Group, then in the input box below Group Name, remove the text, and replace it with the custom text you would like to use. Once you have changed the name of the User Group, don’t forget to hit Save at the bottom of the page.
Everybody Else
The Everybody Else User Group contains each user registered on your site that does not already belong to a specific group. Let’s say you only have two User Groups, one for Administrators and one for Editors, but you want Two-Factor Authentication to be enforced for every user that registers on your site. In this instance, you can enable Two-Factor Authentication in the Everybody Else User Group so that each registered user must complete the Two-Factor Authentication method. For this example, each user that is not included in the Administrator or Editor User Group will be included in the Everybody Else User Group.
Specific Examples
As mentioned above, the standard User Roles are Administrator, Editor, Author, Contributor, and Subscriber. But what if you want to install something like WooCommerce or LMSLifter that has its own user roles? Not to worry, User Groups adds in the new User Roles under the appropriate capabilities. The image below shows what your User Group capabilities will be with the standard user roles.
With WooCommerce:
With LifterLMS:
With WooCommerce and LifterLMS:
Modules in User Group
Below are the following features that can be enabled across User Groups. It is important to note that each of these settings needs to be enabled in the Security Modules section before they are able to be utilized in User Groups.
Manage Solid Security
- Allows users in this group to be able to manage Solid Security Settings. Only enable this for users that you would like to be able to make changes across the site. (Only setting always available.)
Enable Dashboard Creation (Security Dashboard Module)
- Allows the users in the set group to enable the Security Dashboard. The Security Dashboard gives a real-time evaluation of the security activity on your site.
Strong Passwords (Password Requirements Module)
- Force users in this group to use strong passwords.
Refuse Compromised Passwords (Password Requirements Module)x
- Forces users to use unique passwords that do not appear in any password breaches tracked by Have I Been Pwned.
Password Age (Password Requirements Module)
- Gives users in groups the ability to expire passwords and force them to be changed after a set amount of days.
Skip Two-Factor Onboarding (Two-Factor Authentication Module)
- Disables the forced use of Two-Factor Authentication for the selected users. We don’t recommend changing this from the default, as Two-Factor authentication is important for all users, not just administrators.
Application Passwords (Two-Factor Authentication Module)
- Use Application Passwords to allow authentication without providing your actual password when using non-traditional login methods such as XML-RPC or the REST API. They can be easily revoked and can never be used for traditional logins to your website.
Require Two-Factor (Two-Factor Authentication Module)
- Requires users in the selected group to use Two-Factor Authentication. It is highly recommended to enable this feature for any user who can make changes to the site.
Allow Remembering Device (Two-Factor Authentication Module)
- Allows users to check the Remember this Device box. If checked, the module will not force the user to enter a Two-Factor Authentication code when logging in. You must enable the Trusted Devices module to enable this feature.
Enable Passwordless Login (Passwordless Login Modules)
- Send an email with a secure link that allows users to log in without entering a password.
Allow Two-Factor Bypass for Passwordless Login (Passwordless Login Modules)
- Gives users the option to bypass Two-Factor Authentication when using Passwordless Login.
Activity Monitoring (User Logging Module)
- Tracks and logs the activity of users selected in the User Group.
Trusted Devices (Trusted Devices Module)
- The Trusted Devices feature identifies the device used to log in and can apply additional restrictions to unknown devices, such as capability restriction and session hijacking protection.
Role Capabilities
Administrator Capabilities
- Administrator - A user who has access to all the administration features within a single site.
- Shop Manager (WooCommerce) - A user with the ability to manage the shop without being an Admin to the back end of the site. They have all the rights a customer has as well as managing all settings within WooCommerce, including the ability to create and edit products. They also have access to all WooCommerce reports.
- LMS Manager( LifterLMS) - The LMS Manager can do everything in LifterLMS. This allows you to provide access to someone without making them an admin on your site.
- Instructor (LifterLMS) - Instructors can create, edit, and delete their own courses (sections, lessons, quizzes, and quiz questions) and memberships. Instructors can also create new Instructor’s Assistants to help them manage their own courses. Instructors cannot enroll or unenroll students.
Editor Capabilities
- Editor - User that is typically responsible for managing content. Editors can add, edit, publish, and delete any posts and media, including those written by other users. Editors can also moderate, edit, and delete comments and add and edit categories and tags.
Author Capabilities
- Author - User that is only able to create, edit, delete, publish their own posts, and upload media files. Users with the Author role are only capable of impacting their own content.
- Instructors Assistant (LifterLMS) - Instructor’s Assistants are similar to Instructors, but they can only edit courses they’ve been assigned to. Editing a course will allow them to create and delete sections, lessons, quizzes, and quiz questions within that course, but they may not create or delete courses themselves.
Contributor Capabilities
- Contributor - A user that has the ability to read all posts and delete or edit their own posts. Contributors do not have any capabilities beyond their own posts.
Subscriber Capabilities
- Subscriber - A user that can read all posts but only view or edit their own profile.
- Customer (WooCommerce) - Only have read access for the bulk of actions. This user type is equivalent to the capabilities of the Subscriber role. These users can only view and edit their own account information as well as view past and present orders.
- Student (LifterLMS) - A student can only view the content of courses and memberships they enrolled in and edit their own user profile information. All user accounts created via LifterLMS registrations and checkouts are created as students. This role is, essentially, the WordPress core’s subscriber role.