Written by on

Updates to Access Management for iThemes Plugins

Being able to set access levels for iThemes plugins has been a request that we’ve seen for quite some time. As of today, most iThemes plugins allow you to set the access levels to something other than “administrator only”.

WordPress Roles and Capabilities

The method is based on the WordPress Roles and Capabilities functionality. Each user on your site has a specific role. Typical Roles used by WordPress are subscriber, contributor, author, editor and administrator (and Superadmin for multisite). Each of these roles has access to a set of capabilities (“stuff they can do”) and it inherits the capabilities of lower roles. So given that editor is a “higher” role than author, a user with editor role has at least the same capabilities as an author (via inheritance), and then some more. You can find the default role -> capability settings in a handy table in the WordPress codex.

By default, all plugins require the “switch_themes” capability. As you can see in the above mentioned table, only “administrator” roles have that capability on both single-site and multisite WordPress installs.

How to Override the Default Setting

Rather than developing a new access management system, we’ve chosen to add a simple WordPress filter to the capability required to run and manage a plugin. That means that you can override the default by adding a filter to your (child themes) functions.php file. Here is an example of such a function.

function billboard_custom_capability( $capability ) {
    return 'publish_posts';
add_filter( 'billboard_capability', 'billboard_custom_capability' );

The above code uses a function to change the default “switch_themes” capability (for administrators only) to “publish_posts”. Via the table, we can see that the “author” role has access to that capability.

edit posts capability example

So any user with such a role (and any role “higher up” in the hierarchy such as “Editor”, “Administrator” and “SuperAdmin”) can now manage all the Billboard plugin functions.

The filter name (in this case “billboard_capability”) is pre-defined, as you can see in the next paragraph. You can not use other filternames. The functions though can be named anything, so you can change billboard_custom_capability to any other valid function name. Just make sure that a function is only defined once.

Plugins Access Management Affects

DisplayBuddy Plugins

  • Billboard – use the billboard_capability filter
  • Frolic – use the frolic_capability filter
  • Rotating Images – use the rotatingimages_capability filter
  • Rotating Text – use the rotatingtext_capability filter


  • Emailbuddy – use the emailbuddy_capability filter
  • Loopbuddy – use the loopbuddy_capability filter
  • Mobile – use the mobile_capability filter
  • Vidembed – use the vidembed_capability filter

What About the Other Plugins?

Due to design and code considerations (and restrictions) the filter method can not (and will not) be applied to all plugins. The following plugins already have access management built-in via an option in the plugin settings:

  • Accordion
  • Carousel
  • Featured Posts
  • Slides
  • Slideshow
  • Tipsy
  • VideoShowcase

Furthermore, BackupBuddy, Exchange, iThemes Security and Sync are not considered for this functionality.

Other plugins not mentioned here are on the to-do list. Keep an eye on future updates to these plugins, and check the change-log.

A Note for DisplayBuddy Plugins

Should you desire to set different access levels to various DisplayBuddy plugins on one site, an additional parameter is required, to make sure that all role levels are processed properly.

Given the following scenario:

  • Editors should have access to Rotating Images, Rotating Text and Billboard
  • Authors should have access to Rotating Text and Billboard
  • Contributors should have access to Billboard

We would then add the following code:

function billboard_custom_capability( $capability ) {
     return 'edit_posts';
add_filter( 'billboard_capability', 'billboard_custom_capability', 5 );

function rotatingtext_custom_capability( $capability ) {
     return 'publish_posts';
add_filter( 'rotatingtext_capability', 'rotatingtext_custom_capability', 10 );

function rotatingimages_custom_capability( $capability ) {
     return 'publish_pages';
add_filter( 'rotatingimages_capability', 'rotating_images_custom_capability', 15 );

Note the number at the end of the filter, this indicates the “priority”. It is crucial to add the “priority” parameter, to make sure that the (shared) DisplayBuddy “getting started” page is visible to all roles. Without the priority parameter, the last filter would override the previous one(s).

The golden rule here is to add the highest priority (which is the lowest number) to the lowest role that we want to override.

Note that the above ONLY applies if you want to use different capabilities on one site for more than one DisplayBuddy plugin. Priorities are not required for non-DisplayBuddy plugins, or if you want to use the same capability for the plugins.

Talk to Us

We hope that with this new function, we can meet most, if not all of the requests for more granular access management of our plugins. Let us know what you think, in the comments section below. Additionally, if you run into any issues, you can find support here.


  1. Great news!

    Also, does this apply for plugins being used on WP Network (Multisite) installs, as opposed to single site installs? If not, it might be good to make a note about that in the article. :)

    For instance, Slideshow actually no longer has “access management built-in via an option in the plugin settings” when used on Network installs, as of v2.0.19 (2013-09-11).

    I know its been said that its being worked out (see comments here: http://ithemes.com/2014/06/19/slideshow-update-3-0-released-week/) but a distinction here might keep things clear.


    • Hi,

      using this approach (with the filter via functions.php) it doesn’t matter whether this is a single-site, or a multisite, since the solution is done on a per-site basis. Therefore, no mention of any distinctions, as there isn’t any.

      The paragraph labeled “Plugins Access Management Affects” in this article describes exactly to which plugins this article applies.

      No other plugins have been changed or updated in this respect, although based on user experiences of the solution described in this article, we may review the existing access management as it is currently implemented in other plugins.

      • Thanks for clarification Ronald. That makes sense.

        I guess, as a multi-site user, the section that was confusing is “What About the Other Plugins?” where a plugin like Slideshow is listed to have a “user access management system” when that in fact is not the case, when using that particular plugin out-of-the-box on a multi-site install.

        • gotcha. Would you be interested in participating in a small test, and check out a “hybrid” version of Slideshow that has the existing access management system, as well as the method described above? If so, please send me an e-mail (ronald@ithemes.com) and link to this post and we can discuss details.



Save big! Get 35% off EVERYTHING sitewide Get the coupon