self-hosted sites lack the private site feature that WordPress.com
offers. However, several simple plug-ins can fill the gap. One is Page Restrict (http://
tinyurl.com/page-restrict), which lets you prevent people from accessing specific
pages—or your entire site—until they log in. Page Restrict also lets you pick a suitable
message that explains the issue to anonymous visitors, such as “This content
is private. To view it, you must log in.”
Letting People Register Themselves on a Self-Hosted Site
If WordPress hosts your site, WordPress.com is in charge of registering your users.
But if you run a self-hosted site, you’re in control, and that gives you a unique ability.
If you’re feeling a bit daring, you can open the floodgates to your site and let your
readers register themselves.
This strategy might seem a bit dangerous—and if you don’t think it through, it is.
Giving random web visitors extra powers on your site is an extreme step for even the
most trusting person. However, there are several scenarios where self-registration
makes a lot of sense. Here are the most common:
• You’re creating a private blog and you want to prohibit anonymous contributors,
but you don’t want to make your restrictions onerous—you simply want to deter
spammers and other riffraff. Often, the process of signing up is enough to keep
out these troublemakers. And if you let readers sign themselves up, you save
yourself the task of doing so, and save visitors the need to wait for your approval.
• You’re creating a site that welcomes community contributors. You’re ready
to let anyone sign up as a contributor, but you want to approve their content
before it gets published (page 379). Be aware, however, that this is no small
task—reviewing other people’s content and sniffing out spam makes comment
moderation seem like a day at the spa.
• You’ve restricted comments to people who have registered and logged in to the
site (page 272), but you’re willing to let people comment if they go through the
trouble of creating an account. Sometimes, site owners take this step to lock out
spammers, and typically it works well, although it also drives away legitimate
commenters who can’t be bothered signing up. In most cases, it’s better to
allow Facebook and Twitter authentication (page 270), and to use Akismet to
fight spam (page 275).
• Your WordPress site isn’t really on the Web; it’s on the internal network of a
business or organization. Thus, you can assume that the people who reach your
site are relatively trustworthy. (Of course, you still shouldn’t grant them any privileges
more powerful than a contributor account without your personal review.)
Flipping on the self-registration feature takes just a few seconds. In the dashboard,
choose Settings→General. Add a checkmark next to “Anyone can register,” choose
a role in the New User Default Role box below, and then click Save Changes.
WARNING You should set the role for new users to subscriber or contributor—subscriber to welcome new
readers to a private blog, and contributor to let potential authors sign themselves up. Never allow new people
to sign themselves up as authors or editors, unless you want spammers to paste their ads all over your site.
When you turn on self-registration, WordPress adds an extra link to the login page
If you allow self-registration on a public website, you’ll eventually have spammers
creating accounts. Usually, the offender is an automated computer program called
a spambot. It searches the Web for WordPress sites and attempts to sign up on
every one it finds, in the hope that the site will grant the spambot author or editor
permissions. If a site is unwise enough to do so, the spambot immediately gets to
work spewing spam into new posts. As long as you limit new users to the role of
contributor or (powerless) subscriber, the spambot won’t be able to do anything.