Role-Based Access for WordPress Chat: Who Can Message Whom

April 15, 2022 · 5 min read

Creator of Better Messages

A messaging plugin on a community site, a marketplace, or a paid membership platform has to answer one question repeatedly: who is allowed to message whom? The answers vary by site. A B2B directory might let businesses message each other freely but block consumer-to-consumer DMs. A paid community might let Pro members message anyone but block Free members from initiating. A LMS might let students message instructors but not other students. Better Messages handles all of this with a role-based access matrix, four kinds of restrictions, per-role rate limiting, and user-controlled DM-blocking.

Five access controls in one panel#

All under WP Admin → Better Messages → Settings → Restrictions:

1. Role-to-role matrix (whitelist or blacklist)#

The core control. Either:

Allow mode (whitelist) — list which roles can message which roles. Everything else is blocked.
Disallow mode (blacklist) — list which role-to-role pairs are blocked. Everything else is allowed.

Most sites use the whitelist mode because it is auditable. Example whitelist for a paid membership site:

Sender role	Allowed recipient roles
Administrator / Editor	All roles
Pro Member	Pro Member, Free Member, Admin
Free Member	Admin only
Subscriber	(none — no DMs)

2. Restrict new conversations#

Lists roles that cannot start new conversations. They can still reply to threads someone else started.

Common pattern: free members cannot start DMs, but paid members can DM them, and the free member can then reply. Lowers spam, lets paying members reach the audience.

3. Restrict replies#

Lists roles that cannot reply to existing conversations. Rare, but useful for "view-only" tiers — e.g. a Lifetime member who has lost active subscription status retains read access to old conversations but cannot post new replies.

4. Restrict message visibility#

Lists roles that see placeholder text instead of message content. The placeholder is configurable. Useful for:

Paywall preview: free members see "Subscribe to Pro to read this message" instead of paid-thread content.
Moderation: suspended users see "Your access has been restricted" instead of any message bodies.

5. Per-role rate limits#

Two kinds:

Minimum seconds between new conversations — block spammers who create a thread, message a target, get blocked, create another thread. Configure as "max 1 new conversation per 60 seconds" for free members.
Per-role reply rate limit — block flood replies. Configure as "max 30 replies per minute" for free members, no limit for admins.

User-controlled DM blocking#

Beyond admin-level access control, individual members can configure their own DM preferences in their profile:

Who can message me — Everyone, Friends only, Nobody.
Hide me from search — opt out of being found via the recipient search.

This is the "user-self-restriction" toggle in Settings — sites with sensitive audiences should enable it; sites that want maximum interaction can leave it off.

Common patterns#

Site type	Typical setup
Paid membership	Free can reply only; Pro / Lifetime can DM freely; admin can DM anyone
LMS	Students can DM instructors only; instructors can DM students; admin can DM anyone
Marketplace	Buyers and vendors can DM each other; buyer-to-buyer DMs blocked
Job board	Candidates can DM employers; employer-to-candidate DMs allowed; candidate-to-candidate blocked
Public community	Everyone can DM everyone, with rate limits + user-controlled self-restriction
Directory site	Visitors → listing owners only; listing owners can reply but not initiate to random visitors

How permissions interact with guest chat#

Guest users have a synthetic "Guests" role in the restrictions matrix. Apply the same controls — typical pattern: guests can DM listing owners / vendors / support but cannot DM regular registered members.

How permissions interact with group chats#

The role matrix applies to one-on-one DMs and to creating new group conversations. Once a user is in a group chat, the chat's own admin / moderator / member hierarchy takes over — that is separate from the WordPress role.

Custom visibility placeholder#

When you hide message content for a role, configure the placeholder text via Settings → Restrictions → Visibility Placeholder. Examples:

"Subscribe to Pro to read this message"
"Your access is currently restricted"
"Message hidden — contact support for details"

How to enable#

WP Admin → Better Messages → Settings → Restrictions.
Pick Restriction Mode (Allow or Disallow).
Configure the role-to-role rules.
Set restrictions for new conversations, replies, and visibility.
Configure rate limits per role.
Save.

Settings apply on the next request — no rebuild, no cache flush.

Frequently asked questions#

Can I run different rules in different parts of the site?#

The role matrix is global. For per-page or per-community-group differences, use the group chat's own admin / moderator settings, or hook the better_messages_can_send_message filter and return a context-aware permission.

Does the restriction apply to admins?#

Administrators bypass restrictions by default. To restrict admins too (rare), use a custom filter.

What happens when a user is blocked by the matrix?#

They see a friendly message: "You are not allowed to message this user." Configurable text per restriction reason.

Will the user know they were blocked?#

They see the configurable error message. They do not see why specifically — the system does not leak the rule that blocked them.

Does this work with custom WordPress roles?#

Yes — Better Messages reads WordPress's role system. Any role registered with add_role() shows up in the restrictions matrix automatically.

Can I rate-limit by IP instead of role?#

Per-role rate limits are the built-in option. For IP-based rate limiting, a custom filter can layer in IP rules — talk to support for the template.