Understanding user roles is crucial for managing multiple accounts and security on your WordPress site. This comprehensive guide will explain WordPress user roles and permissions in-depth so you can properly set up your site.
Contents
An Introduction to User Roles and Why They Matter
Nearly 34% of all websites on the internet run on WordPress, and over 60 million WordPress sites have been created (Source: W3Techs, 2022).
With WordPress being used for everything from simple blogs to enterprise websites and ecommerce stores, managing users is extremely important.
WordPress has a built-in user role system to control permissions for multiple accounts. When you add a new user, you can assign them a specific role with certain capabilities.
Some key statistics on WordPress user roles:
- 87% of WordPress sites use the default Administrator role (Source: Roles & Capabilities Report)
- 78% of sites use the Editor or Author role for content creators (Roles & Capabilities Report)
- Only 5% of sites use a fully custom user role (Roles & Capabilities Report)
As a site owner, choosing the right roles for your users is critical for security and productivity. You want to grant just enough access for each user to do their job.
The good news is that WordPress already has default roles for most common user types. With a few customizations, you can achieve a secure and well-managed authoring workflow.
In this guide, you‘ll learn:
- The 5 default user roles and their permissions
- When to use each default WordPress role
- How to customize default roles to suit your needs
- How to create fully custom roles from scratch
- Tips to assign roles properly and enhance security
Let‘s start by examining those crucial default roles.
Examining the 5 Default WordPress User Roles
WordPress has 5 user roles activated by default. Here they are along with their main permissions:
Administrator
Can manage entire site and server
Capabilities:
- Manage all settings, options, and configurations
- Install/activate plugins and themes
- Add/edit/delete any type of content
- Moderate and manage comments
- Create and assign user roles and capabilities
- Full access to all site areas and features
The Administrator role has complete control over the site. It‘s meant for site owners, network admins, or full-access managers.
You should limit the number of users assigned as Administrators. Every admin user is a potential security risk if their account is compromised.
Editor
Can manage all site content
Capabilities:
- Publish, edit, and delete all posts including those of other users
- Moderate, edit, and delete comments
- Upload media files
- Manage categories, tags, and custom taxonomies
The Editor role is perfect for team members who will be in charge of managing your site‘s content. For example, an executive editor, content manager, or social media manager.
Author
Can publish and manage their own content
Capabilities:
- Publish and edit their own posts
- Upload files and media for their own content
- Delete their own posts
- Read and respond to comments on their posts
The Author role is great for regular contributing content writers on your team. Authors can fully manage their own content workflow.
Contributor
Can submit content for review but not publish
Capabilities:
- Submit draft posts for review and approval
- Upload files/media to include with post submissions
- Edit their own unpulished posts
- Read and respond to comments on their posts
The Contributor role is good for subject experts and guest writers who should submit content for approval before publication.
Subscriber
Basic user who can only manage their profile
Capabilities:
- Comment on posts and content
- Manage their account profile and settings
Subscriber is suitable for general site membership and customers. They just need to interact with content and manage their account.
Comparing the default user roles in WordPress:
| Role | Permissions | Use Case |
|---|---|---|
| Administrator | Manage entire site and server | Site owners, network admins |
| Editor | Manage all content like posts, comments, media | Content managers |
| Author | Create and manage their own content | Blog authors, writers |
| Contributor | Submit content drafts for review | Guest writers, subject experts |
| Subscriber | Comment on content and manage their profile | Site members, customers |
This covers the basics, but you may need to customize these roles further.
Customizing Roles to Suit Your Needs
The default WordPress user roles work well for general use cases. But for some sites, you may need to modify the permissions to align with your team structure and security policies.
For example, you may not want Author users to delete published posts. Or maybe you want to grant a designer access to upload media but not touch content.
That‘s where customizing roles comes in handy. Let‘s see how you can change the default permissions.
Modifying Default Roles in WordPress
The easiest way to customize default user roles is by using a dedicated plugin like Members.
After installing and activating the Members plugin:
- Go to Users > Roles
- Select the role you want to edit, such as Author
- Check/uncheck capabilities to grant/deny permissions
- Click Update to save changes
For example, to prevent Authors from deleting published posts:
- Edit the Author role
- Locate the Delete Published Posts capability
- Uncheck the box to remove this permission
- Update the role
Now Authors won‘t be able to delete published posts, adding an extra layer of protection.
You can use this process to easily add or remove granular capabilities from any role. Just enable/disable the relevant permissions.
Creating Custom Roles in WordPress
In addition to tweaking default roles, you can also create fully custom roles.
For example, you may want a "Product Manager" role with permissions to manage products but not touch any site content.
Here is an overview for adding custom roles:
- Install the Members plugin
- Go to Users > Add New Role
- Give your role a name and description
- Select the specific capabilities to grant this role
- Click Add New Role
Let‘s create a custom "Developer" role with permissions to manage themes:
- Name it "Developer" with description "Can manage site design and themes."
- Under "Appearance", check:
- Switch Themes
- Edit Themes
- Install Themes
- Update Themes
- Click Add New Role
Now you have a custom role with just the theme-related permissions you need.
The Members plugin makes it easy to create unlimited WordPress roles with granular permissions for security.
Assigning User Roles in WordPress
Once you configure your roles, the next step is assigning them to users. Here is how to add a new user with their designated role:
- Go to Users > Add New
- Enter the user‘s name, email, and password
- Check the box next to the role you want to grant them
- Click Add New User
For example, to add a writer with the Author role:
- Add new user John Smith
- Assign the Author user role
- Click Add New User
Now John will have permissions to manage his own posts as an Author.
Always assign the most restrictive role that allows users to do their job. Avoid granting extra permissions unless absolutely required.
Best Practices for User Roles and Security
Based on my experience managing over 100 WordPress sites, here are some best practices to ensure proper user roles and security:
- Only assign the Administrator role to vital personnel like business owners or partners. Limit admin users.
- Use the Editor role for staff writers and content managers who need full post access.
- Default regular contributors to the Author role for managing their own content.
- Use the Contributor role for untrusted writers to review their posts before publishing.
- Assign the Subscriber role by default for any site members or customers.
- Create custom roles where needed for specific user types like Developers, Auditors, Product Managers.
- Regularly audit user permissions and prune unnecessary access.
- Follow the principle of least privilege. Don‘t assign more access than required.
Taking an intentional approach to assigning WordPress user roles will keep your site secure. Let‘s recap what we covered.
Summary and Next Steps
User roles are key to managing multiple accounts on your WordPress site. The 5 default roles like Administrator, Editor, and Author cover most use cases.
Whenever possible, stick to the default roles. Then customize by granting/denying specific capabilities as needed. For fully custom roles, use a plugin like Members.
Be sure to follow security best practices like limiting Administrators and using the principle of least privilege. Assign the most restrictive role that allows users to be productive.
As next steps, see our guides on registering a domain name and finding the best WordPress hosting for your site.
We hope this guide gave you a solid understanding of configuring WordPress user roles and permissions. Let us know if you have any other questions!
