Control Visibility of Post Content Based on User Roles or Capabilities

in WordPress Tutorials

When it comes to protecting content and limiting it’s visibility, WordPress has only one feature: setting password for individual posts. But, if you need to hide parts of the content, or to display different things to different users, you need custom build solution.

This WordPress tutorial will show you how to build shortcodes you can use to hide parts of the post content depending on three criteria: user login status, user roles and user capabilities. At the end, you can download the finished plugin with the shortcode.

Shortcode Attributes

Shortcodes will have 3 attributes for each criteria, 2 extra attributes for styling the limited access block and 3 more attributes for displaying message in case the content is hidden. You can always expand this and add more functionalities into the shortcode.

Here are 3 basic attributes:

  1. User Login Status – attribute name: access_logged. This attribute can be used to separate users that are logged in and normal visitors.
  2. User Role – attribute name: access_role. You can list one or more user roles, users that are logged in and with set roles can see the content.
  3. Capability – attribute name: access_caps. You can list here one or more capabilities and users having one of them can see the content.

Additional attributes for styling for the DIV elements enveloping content inside the shortcode:

  1. Class - attribute name: class. One or more CSS classes.
  2. Style – attribute name: style. CSS styles to use.

And to display a message when content view is restricted, we can use 3 more attributes:

  1. Message – attribute name: restrict_message. Text to show when the content is not available for the current user and it will use class and style attributes to format the message.
  2. Class - attribute name: restrict_class.
  3. Style – attribute name: restrict_style.

Shortcode Code

Now, it is time to put this together in a form of shortcode code. We will start from basic shortcode that defines the attributes and returns the content without changes:

add_shortcode('d4p_access', 'shortcode_d4p_access');
function shortcode_d4p_access($atts, $content = null) {
 $defaults = array('class' => '', 'style' => '',
   'access_logged' => null, 'access_role' => null, 'access_caps' => null,
   'restrict_message' => 'Access Denied', 'restrict_class' => 'access-restricted', 'restrict_style' => '');
 $atts = shortcode_atts($defaults, $atts);
 return $content;

In this code, all the attributes described earlier are included. Access attributes are set to null by default, since we need to use all the values we can, and null will tell the code to ignore the attribute. We have set default restriction message and CSS class to style it. Shortcode is named d4p_access, but you can change that to anything else you want to use.

We have 3 restriction methods, and each one needs to be checked. To do that we are expanding the shortcode function with this code:

$to_show = true;
if (isset($atts['access_logged']) && !is_null($atts['access_logged'])) {
 if ($atts['access_logged'] == 1) {
   $to_show = is_user_logged_in();
 } else {
   $to_show = !is_user_logged_in();
if ($to_show && isset($atts['access_role']) && !is_null($atts['access_role'])) {
 $atts['access_role'] = explode(',', $atts['access_role']);
 $atts['access_role'] = array_map('trim', $atts['access_role']);
 $to_show = d4p_is_current_user_roles($atts['access_role']);
if ($to_show && isset($atts['access_caps']) && !is_null($atts['access_caps'])) {
 $atts['access_caps'] = explode(',', $atts['access_caps']);
 $atts['access_caps'] = array_map('trim', $atts['access_caps']);
 $to_show = d4p_current_user_can($atts['access_caps']);
$to_show = apply_filters('d4p_access_control', $to_show, $atts, $content);

First IF block checks if we use access_logged restriction. If it is not null, allowed values are 0 (user is not logged in) and 1 (user is logged in). Since WordPress shortcodes parser doesn’t interpret Boolean values properly, we can’t use true/false here.

Next block is for user roles. You need to list of one or more roles comma separated. If user has at least one of the roles it will be able to see the content. To check the role, we are using a custom function:

function d4p_is_current_user_roles($roles = array()) {
 global $current_user;
 $roles = (array)$roles;
 if (is_array($current_user->roles) && !empty($roles)) {
   $match = array_intersect($roles, $current_user->roles);
   return !empty($match);
 } else {
   return false;

Next block is for user capabilities. Again, list one or more capabilities comma separated, and again, we use custom function to check if user has at least one of the capabilities listed:

function d4p_current_user_can($caps = array()) {
 $caps = (array)$caps;
 foreach ($caps as $cap) {
   if (current_user_can($cap)) {
     return true;
 return false;

And at the very end, we can use a filter that will allow change of the $to_show variable through code that can hook up there through d4p_access_control filter. Now we have determined if the content should be displayed to current user. If the content is restricted, we need to replace it with our message, formatted and returned:

$class = $atts['class'];
$style = $atts['style'];
if (!$to_show) {
 $content = $atts['restrict_message'];
 $class = $atts['restrict_class'];
 $style = $atts['restrict_style'];
return '<div '.($style != '' ? ' style="'.$style.'"' : '').($class != '' ? ' class="'.$class.'"' : '').'>'.do_shortcode($content).'</div>';

That’s it. The complete code for this shortcode can be downloaded below in the form of a standalone plugin you can unpack and upload to your plugins folder and activate to use.

Download code for shotcode: d4p WPHub shortcodeaccess

And here is how you can use it:

First example will allow all logged in users to see the content:

[d4p_access access_logged=1]My Content[/d4p_access]

Second example will allow all users with roles ‘administrator’ and ‘editor’ to see the content:

[d4p_access access_role=”administrator,editor”]My Content[/d4p_access]

Third example will allow all users with role ‘editor’ and with capability ‘show-me’ to see the content, also we use different custom restriction message and class:

[d4p access access_role=”editor” access_caps=”show-me” restrict_message=”Stop! You can’t see this!” restrict_class=”restricted”]My Content[/d4p_access]

As you can see, you can use combination of shortcode attributes to limit access to content. And, you can always expand the shortcode code with different rules, you can change how some of the rules behave and you can change the way the content or restriction message is displayed to the user. I hope this WordPress tutorial is useful. Please leave any comments you have below.

Comments (3)

  • Comment by Erik

    This great and absolutely what I was looking for. I was able to call do_shortcode() in the code itself and it returned the proper shortcode. My question is how would I be able to call this inside of the shortcode outside of the php file?

  • Comment by Derek


    Installed as described as well and used the short codes (access_role) but it didn’t work. But after some digging i found the solution: You have to delete the quotes ( ” ) if you use the access_role=.

    So what it states here: [d4p_access access_role=”administrator”]My Content[/d4p_access]

    Becomes: [d4p_access access_role=administrator]My Content[/d4p_access]

    Then it worked fine with me.

  • Comment by Nobouz


    I’ve got installed the plugin as described, but I don’t manage to make it work.
    I don’t see any widget in the ‘Widgets’ panel …

    Anyone return you this problem ?

    Best regards