Creating New Groups
Creating a new user group is a simple and straightforward process with the customizable User Groups feature. To create a new group navigate to Security > Settings > User Groups and at the bottom of the groups list select + New Group.
First, you will name the group in the input box under Group Name. I have named this example Wizards. Once you have named the new User Group, it is time to add the roles and/or users to the group. For this example, only Zelda has been added to the User Group. When you have selected the desired roles and users, click Save at the bottom of the module.
Now that the new User Group is created, you can select which features you would like to be enabled for that User Group.
Add Roles to Group by Capabilities (Preferred Method)
When creating a User Group the most preferred method is to create a new group using the Capabilities checkbox. In the event that a new user is created by the installation of a plugin (WooCommerce for example), any user with those capabilities will be included in this group. More information can be found in the Specific Examples section later in this article. The standard User Roles are Administrator, Editor, Author, Contributor and Subscriber.
After the group is created, you have the ability to select which Security features will be enforced on the users in that group. It is highly recommended to enable Two-Factor Authentication for any User Group that includes users or groups with the ability to make changes on the site.
Add/Remove Users in Group
You have the ability to pick and choose which users will be in each group. Say you have one user with the Author role that you would like to have Administrator capabilities, but do not want all Author roles to have Administrator capabilities. In this case, you could go to the Administrator User Group, scroll down to the Select Users section and select the singular user you would like added to that group.
To remove users from the selected group, simply scroll down to the Selected Users section and click X next to the user you wish to remove.
Custom User Groups
User Groups also gives the ability to create custom User Groups to fit your specific site needs. In this example, I created a new User Group called Wizards. Within that group, I did not select any roles to be a part of the group but, instead, chose specific users.
Once you have your custom users added to the group, you can toggle back to the Settings tab to choose which capabilities those users will have. In this example, I added Gandalf to the group, then toggled the options to allow those users in that group to have the ability to create Security Dashboards and view the Grade Report.
Making Changes to Multiple Groups
It is possible to make changes to multiple groups at once. You can select multiple User Groups at the same time by cmd/ctrl-clicking the groups you wish to make changes to. For instance, you could have each member in the Editor, Author and Contributor roles be required to use strong passwords. To do this simply select the User Groups you want to be impacted and click the Require Strong Passwords box, then save the settings.
Changing Group Names
The standard group names are Administrator, Editor, Author, Contributor and Subscriber. You can change these group names to anything you would like by navigating to Security > Settings > User Groups. Select the User Group that you would like to change the name of and click the input box below Group Name, remove the text and replace it with the custom text you would like to use. Once you have changed the name of the User Group, don’t forget to hit Save at the bottom of the page.
The Everybody Else User Group contains each user registered on your site that does not already belong to a specific group. Let’s say you only have two User Groups, one for Administrators and one for Editors but you want Two-Factor Authentication to be enforced for every user that registers on your site. In this instance, you can enable Two-Factor Authentication in the Everybody Else User Group so that each registered user must complete the Two-Factor Authentication method. For this example, each user that is not included in the Administrator or Editor User Group will be included in the Everybody Else User Group.
As mentioned above, the standard User Roles are Administrator, Editor, Author, Contributor and Subscriber. But what if you want to install something like WooCommerce or LMSLifter that has its own user roles? Not to worry, User Groups adds in the new User Roles under the appropriate capabilities. The image below shows what your User Group capabilities will be with the standard user roles.
With WooCommerce and LifterLMS:
Modules in User Group
Below are the following features that can be enabled across User Groups. It is important to note that each of these settings needs to be enabled in the Security Modules section before they are able to be utilized in User Groups.
Manage iThemes Security
- Allows users in this group to be able to manage iThemes Security Settings. Only enable this for users that you would like to be able to make changes across the site. (Only setting always available.)
Dashboard Creation (Security Dashboard Module)
- Allows the users in the set group to enable the Security Dashboard. The Security Dashboard gives a real-time evaluation of the security activity on your site.
Grade Report (Bottom of Global Settings Page)
- Users who are able to see the Grade Report of the site.
Force Two-Factor (Two-Factor Authentication Module)
- Requires users in the selected group to use Two-Factor Authentication. It is highly recommended to enable this feature for any user that can make changes to the site.
Disable Two-Factor Onboarding (Two-Factor Authentication Module)
- Disables the forced use of Two-Factor Authentication for the selected users. We don’t recommend changing this from the default as Two-Factor authentication is important for all users, not just administrators.
Allow Remembering Device (Two-Factor Authentication Module)
- Allows users to check the Remember this Device box. If checked, the module will not force the user to enter a Two-Factor Authentication code when logging in. You must enable the Trusted Devices module to enable this feature.
Application Passwords (Two-Factor Authentication Module)
- Use Application Passwords to allow authentication without providing your actual password when using non-traditional login methods such as XML-RPC or the REST API. They can be easily revoked and can never be used for traditional logins to your website.
Activity Monitoring (User Logging Module)
- Tracks and logs the activity of users selected in the User Group.
Passwordless Login Enable (Passwordless Login Modules)
- Send an email with a secure link that allows users to log in without entering a password.
Allow Two-Factor Bypass for Passwordless Login (Passwordless Login Modules)
- Gives users the option to bypass Two-Factor Authentication when using Passwordless Login.
Trusted Devices (Trusted Devices Module)
- The Trusted Devices feature which identifies the device used to login and can apply additional restrictions to unknown devices such as capability restriction and session hijacking protection.
Require Strong Passwords (Password Requirement Module)
- Force users in this group to use strong passwords.
Password Expiration (Password Requirement Module)
- Gives users in group ability to expire passwords and force them to be changed after a set amount of days.
Refuse Compromised Passwords (Password Requirement Module)
- Forces users to use unique passwords that do not appear in any password breaches tracked by Have I Been Pwned.
- Administrator - User who has access to all the administration features within a single site.
- Shop Manager (WooCommerce) - User with the ability to manage the shop without being an Admin to the back end of the site. They have all the rights a customer has as well as managing all settings within WooCommerce, including the ability to create and edit products. They also have access to all WooCommerce reports.
- LMS Manager( LifterLMS) - The LMS Manager can do everything in LifterLMS. This allows you to provide access to someone without making them an admin on your site.
- Instructor (LifterLMS) - Instructors can create, edit and delete their own courses (sections, lessons, quizzes and quiz questions) and memberships. Instructors can also create new Instructor’s Assistants to help them manage their own courses. Instructors cannot enroll or unenroll students.
- Editor - User that is typically responsible for managing content. Editors can add, edit, publish and delete any posts and media, including those written by other users. Editors can also moderate, edit and delete comments and add and edit categories and tags.
- Author - User that is only able to create, edit, delete, publish their own posts and upload media files. Users with the Author role are only capable of impacting their own content.
- Instructors Assistant (LifterLMS) - Instructor’s Assistants are similar to Instructors but they can only edit courses they’ve been assigned to. Editing a course will allow them to create and delete sections, lessons, quizzes and quiz questions within that course but they may not create or delete courses themselves.
- Contributor - User that has the ability to read all posts, delete or edit their own posts. Contributors do not have any capabilities beyond their own posts.
- Subscriber - User that can read all posts but only view or edit their own profile.
- Customer (WooCommerce) - Only have read access for the bulk of actions. This user type is equivalent to the capabilities of the Subscriber role. These users can only view and edit their own account information as well as view past and present orders.
- Student (LifterLMS) - A student can only view the content of courses and memberships they enrolled in and edit their own user profile information. All user accounts created via LifterLMS registrations and checkouts are created as students. This role is, essentially, the WordPress core’s subscriber role.