WordPress User Roles and Permissions Explained

Introduction

WordPress's user role system allows you to grant different levels of access to people who help manage your website. Whether you have guest bloggers, editors, shop managers, or virtual assistants, understanding roles and capabilities ensures everyone has appropriate access without compromising security. This guide explains each default role, their capabilities, and how to customize permissions for your needs.

Understanding WordPress User Roles

What Are User Roles?

User roles are predefined sets of permissions that determine what actions a user can perform on your WordPress site. Each role has specific capabilities that grant or restrict access to features like:

• Creating and editing content
• Publishing posts
• Managing comments
• Installing plugins and themes
• Modifying site settings
• Managing other users

Why User Roles Matter

Security: Limit access to prevent accidental or intentional damage Organization: Define clear responsibilities for team members Accountability: Track who made specific changes Scalability: Easily add team members with appropriate permissions

The Five Default WordPress Roles

1. Administrator

Access Level: Complete control

Administrators can do everything on the site:

Content Management:

• Create, edit, publish, delete any posts/pages
• Manage categories and tags
• Moderate all comments

Site Configuration:

• Change themes and customize appearance
• Install, activate, update, delete plugins
• Modify site settings
• Edit theme and plugin files

User Management:

• Add, edit, delete any users
• Change user roles
• Create new administrators

When to Assign:

• Site owners
• Lead developers
• Trusted senior team members

Security Note: Limit administrators. Every admin account is a potential security risk if compromised.

2. Editor

Access Level: Full content control, no site settings

Editors manage all content but can't change site configuration:

Content Management:

• Create, edit, publish, delete own posts
• Create, edit, publish, delete others' posts
• Manage categories and tags
• Moderate comments

Cannot Do:

• Install or manage plugins
• Change themes
• Modify settings
• Manage users

When to Assign:

• Content managers
• Senior writers
• Editorial staff
• Anyone responsible for publishing others' work

3. Author

Access Level: Own content only

Authors can manage their own content:

Content Management:

• Create, edit, publish, delete own posts
• Upload media files
• Cannot edit others' posts

Cannot Do:

• Publish or manage others' content
• Manage categories (can only select existing)
• Moderate comments
• Any administrative functions

When to Assign:

• Regular blog writers
• Columnists
• Content creators with publishing autonomy

4. Contributor

Access Level: Write, cannot publish

Contributors create content that requires editorial review:

Content Management:

• Create and edit own posts
• Submit posts for review
• Cannot publish posts
• Cannot upload media

Cannot Do:

• Publish own content
• Edit after submission
• Upload files
• Anything beyond basic writing

When to Assign:

• Guest bloggers
• New writers
• External contributors
• Anyone whose work needs approval

5. Subscriber

Access Level: Profile only

Subscribers have minimal access:

Can Do:

• Read content (if site has private content)
• Edit own profile
• Leave comments (logged in)

Cannot Do:

• Create any content
• Access dashboard (beyond profile)
• Any administrative functions

When to Assign:

• Community members
• Newsletter subscribers with accounts
• Membership site users (basic tier)

Capabilities Comparison Table

Adding and Managing Users

Creating New Users

1. Go to Users > Add New
2. Fill in required fields:
   • Username (cannot change later)
   • Email address
3. Optional fields:
   • First Name, Last Name
   • Website
   • Password (auto-generated or custom)
4. Select appropriate role
5. Check "Send User Notification" to email credentials
6. Click "Add New User"

Changing User Roles

1. Go to Users > All Users
2. Hover over user, click "Edit"
3. Scroll to "Role" dropdown
4. Select new role
5. Click "Update User"

Bulk Role Changes:

1. Select multiple users (checkboxes)
2. Choose "Change role to..." from Bulk Actions
3. Select role
4. Click "Apply"

Deleting Users

1. Go to Users > All Users
2. Hover over user, click "Delete"
3. Choose what happens to their content:
   • Delete all content
   • Attribute content to another user
4. Confirm deletion

Important: Always attribute content to maintain it on your site.

Multisite User Roles

WordPress Multisite adds a special role:

Super Admin

Access Level: Network-wide control

Super Admins can:

• Manage all sites in the network
• Add and remove sites
• Manage network-wide plugins and themes
• Create and delete users across all sites
• Access all site dashboards

Regular site admins on a multisite cannot install plugins or themes unless the Super Admin enables this.

Customizing User Roles

Using Plugins

Default roles don't fit every need. Plugins allow customization:

User Role Editor

• Edit existing role capabilities
• Create custom roles
• Copy roles
• Delete unused roles
• Granular capability control

Members

• Role management
• Content permissions
• Capability control
• Multiple roles per user

PublishPress Capabilities

• Similar features
• Backup and restore roles
• Admin menu restrictions

Creating Custom Roles

With User Role Editor:

1. Install and activate plugin
2. Go to Users > User Role Editor
3. Click "Add Role"
4. Enter role name and display name
5. Copy capabilities from existing role (optional)
6. Click "Add Role"
7. Customize capabilities

Custom Role Examples

SEO Manager

• Edit posts for optimization
• Cannot publish
• Cannot delete
• Read only for pages

Shop Manager (WooCommerce)

• Manage products
• View orders
• Process refunds
• No site settings

Social Media Manager

• Create posts
• Publish posts
• Upload media
• No settings access

Plugin-Specific Roles

Many plugins add their own roles:

WooCommerce

Shop Manager:

• Manage products and orders
• View reports
• Manage customers
• Cannot change settings

Customer:

• View own orders
• Edit account details
• No dashboard access

bbPress (Forums)

Keymaster: Full forum control Moderator: Manage topics and replies Participant: Create topics and replies Spectator: Read only

MemberPress (Memberships)

Custom capabilities for:

• Managing memberships
• Viewing transactions
• Managing members
• Configuring rules

Security Best Practices

Principle of Least Privilege

Give users only the permissions they need:

• Don't make everyone an admin
• Start with lower roles, upgrade if needed
• Review permissions regularly
• Remove access when no longer needed

Administrator Account Security

• Limit admin accounts (2-3 maximum)
• Use unique, strong passwords
• Enable two-factor authentication
• Never share admin credentials
• Rename default "admin" username

Regular User Audits

Schedule periodic reviews:

• Who has access?
• Are their roles appropriate?
• Any inactive accounts to remove?
• Any suspicious activity?

Activity Logging

Track user actions with plugins:

• WP Activity Log: Detailed logging
• Simple History: Lightweight logging
• User Activity Log: User-focused tracking

Common Scenarios

Scenario 1: Hiring a Writer

Need: Someone to write blog posts Best Role: Author (if trusted to publish) or Contributor (if needs review) Setup:

1. Create user account
2. Assign Author or Contributor role
3. Explain content guidelines
4. Provide style guide

Scenario 2: Virtual Assistant

Need: Help with various tasks Best Role: Editor or custom role Setup:

1. Determine specific tasks needed
2. Create custom role with only those capabilities
3. Document what they can access
4. Review periodically

Scenario 3: Guest Blogger

Need: One-time or occasional posts Best Role: Contributor Setup:

1. Create account with Contributor role
2. They write, you review and publish
3. Delete or disable account after completion

Scenario 4: Developer Access

Need: Technical work on site Best Role: Administrator (temporary) Setup:

1. Create separate admin account
2. Enable after backup
3. Monitor their activity
4. Delete account when work complete

Frequently Asked Questions

Can a user have multiple roles?

Not by default. WordPress assigns one role per user. Plugins like "Members" or "Multiple Roles" enable multiple role assignment.

How do I restrict access to specific posts?

Use plugins like:

• PublishPress Capabilities for content permissions
• Members for content restriction
• Restrict Content Pro for membership-based access

Can I hide dashboard menus from certain roles?

Yes, with plugins:

• Adminimize: Hide menu items by role
• User Role Editor: Menu restrictions
• Admin Menu Editor: Complete menu control

What happens to content when I delete a user?

You choose:

• Delete all their content
• Attribute to another user Always attribute to preserve content.

How do I let users register on my site?

In Settings > General:

• Check "Anyone can register"
• Set "New User Default Role" Most sites set this to Subscriber.

Can I prevent Editors from deleting posts?

Yes, with role editing plugins. Remove the "delete_posts" capability from the Editor role.

Key Takeaways

• WordPress has five default roles: Administrator, Editor, Author, Contributor, Subscriber
• Each role has specific capabilities defining what users can do
• Administrators have full control; Subscribers have minimal access
• Plugins allow customization and creation of new roles
• Always follow the principle of least privilege
• Regular audits keep your site secure

Next Steps

Now that you understand user roles, learn about WordPress Security to protect all those accounts, or explore our guide on Building a Team to manage your growing website effectively.

Meta Description: Complete guide to WordPress user roles and permissions. Learn about Administrators, Editors, Authors, Contributors, Subscribers, and how to customize access levels.

Keywords: wordpress user roles, wordpress permissions, wordpress users, user management, wordpress capabilities