Skip to main content

Role-Based Access for WordPress Chat: Who Can Message Whom

· 5 min read
Andrij Tkachenko
Creator of Better Messages

A messaging plugin on a community site, a marketplace, or a paid membership platform has to answer one question repeatedly: who is allowed to message whom? The answers vary by site. A B2B directory might let businesses message each other freely but block consumer-to-consumer DMs. A paid community might let Pro members message anyone but block Free members from initiating. A LMS might let students message instructors but not other students. Better Messages handles all of this with a role-based access matrix, four kinds of restrictions, per-role rate limiting, and user-controlled DM-blocking.

Five access controls in one panel

All under WP Admin → Better Messages → Settings → Restrictions:

1. Role-to-role matrix (whitelist or blacklist)

The core control. Either:

  • Allow mode (whitelist) — list which roles can message which roles. Everything else is blocked.
  • Disallow mode (blacklist) — list which role-to-role pairs are blocked. Everything else is allowed.

Most sites use the whitelist mode because it is auditable. Example whitelist for a paid membership site:

Sender roleAllowed recipient roles
Administrator / EditorAll roles
Pro MemberPro Member, Free Member, Admin
Free MemberAdmin only
Subscriber(none — no DMs)

2. Restrict new conversations

Lists roles that cannot start new conversations. They can still reply to threads someone else started.

Common pattern: free members cannot start DMs, but paid members can DM them, and the free member can then reply. Lowers spam, lets paying members reach the audience.

3. Restrict replies

Lists roles that cannot reply to existing conversations. Rare, but useful for "view-only" tiers — e.g. a Lifetime member who has lost active subscription status retains read access to old conversations but cannot post new replies.

4. Restrict message visibility

Lists roles that see placeholder text instead of message content. The placeholder is configurable. Useful for:

  • Paywall preview: free members see "Subscribe to Pro to read this message" instead of paid-thread content.
  • Moderation: suspended users see "Your access has been restricted" instead of any message bodies.

5. Per-role rate limits

Two kinds:

  • Minimum seconds between new conversations — block spammers who create a thread, message a target, get blocked, create another thread. Configure as "max 1 new conversation per 60 seconds" for free members.
  • Per-role reply rate limit — block flood replies. Configure as "max 30 replies per minute" for free members, no limit for admins.

User-controlled DM blocking

Beyond admin-level access control, individual members can configure their own DM preferences in their profile:

  • Who can message me — Everyone, Friends only, Nobody.
  • Hide me from search — opt out of being found via the recipient search.

This is the "user-self-restriction" toggle in Settings — sites with sensitive audiences should enable it; sites that want maximum interaction can leave it off.

Common patterns

Site typeTypical setup
Paid membershipFree can reply only; Pro / Lifetime can DM freely; admin can DM anyone
LMSStudents can DM instructors only; instructors can DM students; admin can DM anyone
MarketplaceBuyers and vendors can DM each other; buyer-to-buyer DMs blocked
Job boardCandidates can DM employers; employer-to-candidate DMs allowed; candidate-to-candidate blocked
Public communityEveryone can DM everyone, with rate limits + user-controlled self-restriction
Directory siteVisitors → listing owners only; listing owners can reply but not initiate to random visitors

How permissions interact with guest chat

Guest users have a synthetic "Guests" role in the restrictions matrix. Apply the same controls — typical pattern: guests can DM listing owners / vendors / support but cannot DM regular registered members.

How permissions interact with group chats

The role matrix applies to one-on-one DMs and to creating new group conversations. Once a user is in a group chat, the chat's own admin / moderator / member hierarchy takes over — that is separate from the WordPress role.

Custom visibility placeholder

When you hide message content for a role, configure the placeholder text via Settings → Restrictions → Visibility Placeholder. Examples:

  • "Subscribe to Pro to read this message"
  • "Your access is currently restricted"
  • "Message hidden — contact support for details"

How to enable

  1. WP Admin → Better Messages → Settings → Restrictions.
  2. Pick Restriction Mode (Allow or Disallow).
  3. Configure the role-to-role rules.
  4. Set restrictions for new conversations, replies, and visibility.
  5. Configure rate limits per role.
  6. Save.

Settings apply on the next request — no rebuild, no cache flush.

Frequently asked questions

Can I run different rules in different parts of the site?

The role matrix is global. For per-page or per-community-group differences, use the group chat's own admin / moderator settings, or a custom filter on better_messages_can_message.

Does the restriction apply to admins?

Administrators bypass restrictions by default. To restrict admins too (rare), use a custom filter.

What happens when a user is blocked by the matrix?

They see a friendly message: "You are not allowed to message this user." Configurable text per restriction reason.

Will the user know they were blocked?

They see the configurable error message. They do not see why specifically — the system does not leak the rule that blocked them.

Does this work with custom WordPress roles?

Yes — Better Messages reads WordPress's role system. Any role registered with add_role() shows up in the restrictions matrix automatically.

Can I rate-limit by IP instead of role?

Per-role rate limits are the built-in option. For IP-based rate limiting, a custom filter can layer in IP rules — talk to support for the template.

See also

Install Better Messages from WordPress.org →