As your business grows, managing who has access to your WordPress website becomes increasingly important. Assigning appropriate user roles ensures each person has the right permissions, enhancing workflow efficiency and boosting site security. WordPress provides default user roles with specific capabilities, and you can even customize these roles to fit your unique needs.
Key highlights:
- WordPress user roles explained and why WordPress roles important
- Explore the default user roles and user capabilities
- Manage and customize user roles access using plugins
- Implement best practices for assigning user roles
- Create custom user roles for your website
Let’s dive in and learn how to effectively manage WordPress user roles to keep your website running smoothly.
Understanding WordPress user roles
A user role is defined by a set of tasks that a specific role is given permission to perform in a WordPress site. There are six pre-defined WordPress user roles:
- Subscriber
- Contributor
- Author
- Editor
- Administrator
- Super Admin
An administrator has access to all the possible website tasks, while a subscriber only has the ability to read the website. Each role has a set of tasks, or capabilities, like the ability to delete posts, publish pages, update themes and add users.
WordPress also empowers you to add or remove roles and capabilities. You can do this manually or through various plugins.
Here’s a rundown of what each of the existing roles includes:
Permissions | Administrator | Editor | Author | Contributor | Subscriber |
Read site | Yes | Yes | Yes | Yes | Yes |
Edit posts | Yes | Yes | Yes | Yes | – |
Deleting posts | Yes | Yes | Yes | Yes | – |
Publish posts | Yes | Yes | Yes | – | – |
Upload files | Yes | Yes | Yes | – | – |
Publish pages | Yes | Yes | – | – | – |
Delete pages | Yes | Yes | – | – | – |
Edit pages | Yes | Yes | – | – | – |
Read, edit or delete private pages | Yes | Yes | – | – | – |
Manage categories | Yes | Yes | – | – | – |
Moderate comments | Yes | Yes | – | – | – |
Activate plugins | Yes | – | – | – | – |
Create new users | Yes | – | – | – | – |
Delete plugins, themes or users | Yes | – | – | – | – |
Edit files, plugins, themes or users | Yes | – | – | – | – |
Export or import content | Yes | – | – | – | – |
Install plugins or themes | Yes | – | – | – | – |
Manage user options | Yes | – | – | – | – |
Update themes, plugins, dashboard or core | Yes | – | – | – | – |
Let’s take a look at each of these WordPress default user roles in more detail.
Importance of WordPress user roles
It can be a simple task to manage your user roles if only a couple of people need access to the website, or it can be a challenge if you run an extensive blog or eCommerce store. But anyone with a WordPress website needs to learn how to manage user roles.
Assigning roles helps to manage efficiently. It can also create a structure for workflow. If an author posts a blog, then an editor can read it over before it’s published.
Familiarize yourself with all the capabilities of user roles to help with task delegation. You’ll get a better sense of what tasks should go to whom and what access employees need for their job.
If an employee is savvy with design, then they might benefit from the ability to edit or change the theme. Or you might want another employee to manage users on your website, and they’ll need the ability to add and edit users.
Another important reason to monitor WordPress user roles is security. This is especially crucial when working with external freelancers, designers, or developers—particularly for small-scale businesses or startups. Providing access to outside collaborators can sometimes open doors to potential security vulnerabilities if not handled carefully.
Not everyone needs access to every corner of your website, so it’s vital to assign roles that align with their specific tasks. This not only secures your site but also helps prevent accidental changes by limiting what each user can modify. Be proactive, and assign user roles accordingly.
Capabilities for WordPress user types
Each user role builds on one another, with more WordPress user permissions added to each level. Every function has multiple capabilities, with subscribers having the least access.
When you add a new user default role to your WordPress dashboard, you can choose their role, which you can edit later.
Five default WordPress user roles
WordPress is designed with five default user roles built into the software. Each role comes with its permissions.
1. Administrator role
Administrator account have full permissions on the WordPress control panel. You’ll be able to publish, edit and delete:
- Blog posts
- Webpages
- Themes
- Plugins
- Code
Administrators are also in charge of updating the permissions and roles of other users.
If you’re the website administrator, you’re running the show. This role is usually reserved for the site owners, who usually has a thorough understanding of how WordPress works.
Besides full admin access, the administrator gets a lot of responsibility. So, it’s vital that you only give administrator permissions to people you trust with your entire website.
You may have come across the term “Super Admin.” However, Super Admin users are only appropriate role option for the WordPress Multisite Networks mode.
Some companies manage multiple WordPress websites. The Super Admin role is reserved for the user who has administrator permissions across all of them. Like an admin, they have full access to the websites they oversee. Super Admins can create and delete websites. They also manage the network, including the websites, plugins, users, upgrades, setups and themes.
If you only have one WordPress website, you inherently are the Super Admin.
What WordPress Administrator role do?
Administrators (admins) have access to every part of a website and also have the permissions of all the previous roles.
Admins manage the website and can switch themes and add plugins. Admins can also manage WordPress users and edit them. They can also delete a website.
2. Editor
The editor has many permissions and is like the second-in-command to the administrator. For example, a user with editor permissions can publish, edit and delete blog posts and website pages.
However, unlike administrators, editors can’t change core components of the website, such as the theme, plugins or users.
If you have an assistant website administrator at your company, this may be a good role option for them.
What WordPress Editor role do?
An editor has more access to each post, with the ability to edit, publish and delete posts and pages. They can manage categories, links and comments. They can also create and edit blocks.
Editors may oversee content and not website management.
3. Author
An author has minimal permissions but can do enough to run your website’s blog. This user role can edit, write, publish and delete blog posts.
If your company has hired an external content publisher, consider giving them author permissions. This way, they can run your blog daily without having access to the rest of your website.
What WordPress Author role do?
Authors can write, edit, publish and delete posts they wrote. They can also upload files. But they can’t edit other users’ posts or pages.
Authors can also tag posts and assign them to categories but cannot create new categories.
4. Contributor
Contributors have minimal user permissions, but, as the name suggests, they can add new posts to the website’s blog. In addition, contributors to the blog can write, edit and delete posts created. However, they cannot publish them.
The contributor role permissions are suitable for the website’s writers. This way, the author, editor or administrator can approve upcoming posts before publication, editing or deleting them as they see fit.
What WordPress Contributor role do?
Contributors can add new posts and edit their own published posts. But they cannot delete or publish posts, including their own. They’re also unable to add images or media files to their own posts.
A contributor might be a good option for a one-time guest blogger or a new author.
5. Subscriber
The subscriber is the default user role with the fewest permissions. As a subscriber, your only permission is to read the content.
For blogs with an active, engaged following, this WordPress user role is a useful option that lets users create a username, comment on posts and interact with other members.
What WordPress Subscriber role do?
Subscriber is the most basic user role. Subscribers can only read posts, which anyone can do without being a subscriber.
If you offer subscription-based or members-only content, users can create profiles on your website and log in to specific areas. This role is also used to log in to comment on posts.
Subscribers will also have the ability to update their user profile.
Default vs. custom user roles
When working with WordPress, you’ll notice it comes equipped with a set of default user roles, each tailored to different site management tasks. However, as your WordPress site evolves, you might find that these predefined roles don’t perfectly align with your team’s needs or your website’s specific requirements. This is where custom user roles come in handy.
Default WordPress user roles offer pre-configured sets of permissions designed to streamline common tasks and responsibilities. These roles are convenient for general use cases, allowing you to assign roles right away without needing to make adjustments. But because they are preset, they may not fully address unique site needs or specialized team structures.
In contrast, custom WordPress user roles provide administrators with the flexibility to assign highly specific permissions that align with their site’s exact needs. With custom roles, you can fine-tune what each user is allowed to do, ensuring that every team member has just the right amount of access. This detailed level of control helps create a more secure and organized WordPress site environment.
One of the biggest advantages of custom roles is their adaptability. As your website or team grows and changes, these roles can be updated or expanded to match new workflows or responsibilities, keeping everything running smoothly.
Create WordPress custom user roles and capabilities
The default user roles are functional for most WordPress websites, but some websites might need to change the parameters for specific roles. WordPress custom roles help you tweak preset roles into those that better suit your website.
You can customize existing user roles manually by coding, or you can also use plugins on WordPress to edit roles and create your own roles.
Managing and creating roles and capabilities with User Role Editor plugin
Here are some popular plugins to manage WordPress user roles:
- PublishPress Capabilities: Manage WordPress Permissions and Edit User Roles
- User Role Editor
- Members – Membership & User Role Editor Plugin
- Advanced Access Manager
- User Switching
- WPFront User Role Editor
- View Admin As
Each of these plugins has features that help manage user roles. For Example, PublishPress Capabilities lets you assign WordPress user levels to each role, and Advanced Access Manager gives you the ability to edit a user’s backend menu.
New capabilities and roles from other WordPress plugins
Other popular plugins like WooCommerce and Yoast add capabilities and roles to your website. WooCommerce provides new user roles, including Customer and Shop Manager. Yoast adds SEO Manager and SEO Editor to your dropdown of roles.
These extra roles come with new capabilities and access to the plugins on the website. Stay aware of the new roles offered by specific plugins so you can make the best use of its features.
How to add and remove capabilities from existing WordPress roles in WordPress user management
You’ll have WordPress user management permissions if you are the website administrator.
Customizing the permissions of all other users can be helpful when you have a team member who doesn’t take on new responsibilities and needs access to specific control panel areas. It’s also a helpful way to manage a fully remote team.
Here’s a step-by-step guide demonstrating how to edit specific permissions for your users using the User Editor plugin:
- First, you need to download User Role Editor plugin on your WordPress dashboard.
- Go to Plugins > Add New Plugin. Then, search for User Role Editor and activate the plugin.
- In the left panel of your dashboard, select Users > User Role Editor.
- In the User Role Editor plugin, choose the user you want to edit from the dropdown menu.
- You’ll see the user’s full capabilities. If the format is challenging, select the option “Show capabilities in human readable” form.
- Scroll through the user’s permissions and check or uncheck the box next to the relevant permissions.
- Select Update when you’re ready to finalize your choices.
And that’s it. The user should immediately have access to their new permissions.
How to create a new user role in WordPress user management
In some cases, you may wish to save a template of a new type of WordPress user role.
For instance, let’s say you have a team of blog editors who need access to editing user roles so they can add new contributors to the team. However, you don’t want these editors to have full access to the website’s plugins or themes.
Or, let’s say you hire a series of external freelance SEO consultants. You may wish to create a specific user role for these consultants that give them permission to edit own posts but not publish or delete them.
To save this new role template in your system, we recommend creating a new custom user role.
This process can also be done within the User Role Editor plugin:
- In the left panel of the WordPress dashboard, select Users > User Role Editor.
- Find and select the option Add Role in the right-side panel.
- Write an ID and Display the Role Name. This is the name of the user role type.
- If you want to start with permissions from an existing user role, head to the “Make copy of” dropdown menu.
Tip: Don’t add space when writing role ID, you can use letters, numeric and symbols instead.
- Edit the capabilities for the new role using the boxes next to each permission.
- When you’re satisfied with your choices, click Update.
Once you’ve completed these steps, your new user role should be ready to use and appear in the available user roles list when you register a new user.
How to delete user roles in WordPress
Delete users with user role using User Editor plugin
- In the left panel of your dashboard, select Users > User Role Editor.
- On right side, select Delete Role.
- From dropdown, select the user role you want to delete. Or, select ‘delete all unused roles’.
- After selecting the role, click on the Delete Role button.
After deletion, ensure that the role is removed successfully. You can do it by checking the list of available roles within the plugin.
Delete user roles using custom code
Deleting user roles via custom code can be tricky and may cause issues if not done correctly. Always test this on a staging or development WordPress site first.
In your theme’s functions.php file or in a custom plugin, use the remove_role() function, specifying the exact role name to be deleted.
phpCopy code// Example: Deleting a custom role named ‘example_role’remove_role(‘example_role’);
After adding the code, test it on a staging site to ensure it works as expected without disrupting other WordPress site functions.
Once you’re confident, apply the code to your live site. Check the list of roles in your WordPress dashboard to ensure the role has been successfully removed.
Pro tip: Always back up your WordPress site before deleting any user roles. Deleting a role can impact users associated with it, so make sure their access is adjusted or reassigned to prevent disruptions.
WordPress new user registration
WordPress New User Registration isn’t automatically available on WordPress websites. If you need users to be able to register themselves as “subscribers,” you have to follow a short series of steps in your WordPress dashboard.
- Head to site Settings > General in WordPress admin panel.
- Find the Membership section.
- Then, check the checkbox next to Anyone can register.
Select a default user role. Most administrators prefer to use the subscriber role as this has the smallest set of capabilities. However, you can also choose any other WordPress user roles, including customer user roles you have created yourself.
Once this option is set up, you can invite readers to join the community.
Benefits of creating WordPress new user registration
Creating a WordPress New User Registration option for your readers can be helpful for many reasons, including to
- Encourage a readership community.
- Create user-only private content to improve customer retention.
- Permit comments and discussion. Users make 77 million comments every month, so empowering your audience to do so is a great way to tap into this ready-made customer engagement.
- Monitor your loyal readers or customers for eCommerce websites.
- Show off your following by displaying your user count.
- Improve your employees’ work experience by ensuring they can access everything they need.
If you dislike the idea of users creating their accounts, keep this box unticked.
Instead, the Administrator will be the only one who can access complete WordPress user management and add new users. While this can be more secure in practice, it can prove tiresome and unnecessary for some companies.
Best practices for managing WordPress roles
Effectively managing WordPress roles is crucial for maintaining your website’s security and ensuring smooth operations. Here are some best practices to help you assign roles appropriately, enhance security and perform regular audits:
Assign the minimum required permissions
- Principle of Least Privilege: Grant users only the permissions they need to perform their tasks. Avoid assigning higher-level roles like Administrator unless absolutely necessary.
- Role Assessment: Before assigning a role, evaluate the user’s responsibilities and match them with the appropriate role that fits their duties.
Regularly audit user roles and permissions
- Periodic reviews: Schedule regular audits (e.g., quarterly) to review user accounts and their assigned roles.
- Update or remove inactive accounts: Deactivate or delete accounts that are no longer in use to reduce potential security risks.
- Monitor for unauthorized changes: Use security plugins or audit logs to track changes in user roles and permissions.
Implement strong password policies
- Enforce complex passwords: Require users to create strong passwords with a mix of letters, numbers and special characters.
- Enable two-factor authentication (2FA): Add an extra layer of security by implementing 2FA for user logins, especially for users with higher-level access.
Limit the number of administrators
- Minimize administrator accounts: Keep the number of Administrator accounts to a minimum to reduce security vulnerabilities.
- Assign alternative roles: Use roles like Editor or Author for users who don’t need full administrative access but require more permissions than lower-level roles provide.
Educate users on security best practices
- Training sessions: Provide training or resources to educate users about security protocols and best practices.
- Security guidelines: Share guidelines on recognizing phishing attempts, avoiding suspicious links and safeguarding login credentials.
Use trusted user role management plugins
- Reputable plugins: Only use well-reviewed and regularly updated plugins to manage user roles and permissions.
- Keep plugins updated: Regularly update all plugins to their latest versions to patch any security vulnerabilities.
Set up user role hierarchies
- Structured role assignment: Create a clear hierarchy of roles that aligns with your organization’s structure and workflow.
- Custom roles: If default roles don’t meet your needs, create custom roles with specific capabilities tailored to different team members.
Implement logging and monitoring
- Activity logs: Use plugins to log user activities, especially for critical actions like plugin installations, content deletions or role changes.
- Real-time alerts: Set up notifications for unusual activities or unauthorized access attempts.
Restrict access to sensitive information
- Content access control: Limit access to sensitive pages, posts or data to only those who need it.
- File permissions: Ensure server file permissions are correctly set to prevent unauthorized access or modifications.
Backup your website regularly
- Scheduled backups: Regularly back up your website, including databases and user data.
- Secure storage: Store backups in secure, off-site locations or use encrypted cloud storage solutions.
Review third-party access
- API and integration management: Monitor and control any third-party services or APIs that have access to your site.
- Revoke unused access: Remove permissions for integrations or users that are no longer needed.
Plan for user role changes
- Onboarding procedures: Establish a standardized process for adding new users, including assigning appropriate roles and training.
- Offboarding procedures: When a user leaves the organization, promptly adjust or revoke their access to prevent unauthorized activity.
- Role transition policies: Define clear protocols for changing a user’s role when their responsibilities change within the organization.
Enforce account security measures
- Login security: Implement measures like limiting login attempts to prevent brute-force attacks.
- Password expiration: Consider policies that require users to update their passwords periodically.
Utilize secure hosting services
- Choose reliable hosting: Opt for hosting providers that prioritize security features like firewalls, malware scanning and DDoS protection.
- SSL certificates: Ensure your site uses SSL encryption to protect data transmitted between your site and its users.
Stay informed about security trends
- Continuous learning: Keep up-to-date with the latest WordPress security news and updates.
- Community engagement: Participate in WordPress forums or communities to learn from others’ experiences and share best practices.
Efficient user management in WordPress multisite
Managing user roles across multiple sites in a WordPress Multisite network introduces unique challenges and opportunities. To optimize administration:
Network registration settings: Configure registration to either allow or restrict user sign-ups on the network or individual subsites. You can also control who has the ability to create new sites.
Centralized user access: Multisite allows one user account to access multiple sites across the network, offering a streamlined experience for site administrators.
Site-level user registration: If you want user registration limited to specific subsites, plugins like Network Subsite User Registration can help manage this.
Super admin privileges: Use these with caution! Super Admins have the highest level of control, managing not only individual sites but the entire network. Assign this role only to trusted users.
Consider giving yourself more roles
You can still create multiple users if you’re the only one managing your WordPress website. For example, if you create a separate editor or author account, you can still manage posts and keep your admin duties separated.
Various user roles also add another layer of security if one of your roles gets compromised.
WordPress user roles and permissions make it easier to run your website. Assign roles and know what capabilities are designated to each employee to help your workflow and control security.
WordPress makes it easy to assign roles and choose what level of access to grant each user. Using WordPress plugins can also help create custom roles that help your website’s functionality.
Don’t forget to keep capabilities updated and assigned to only those who need that level of access.
Learn more about the different capabilities and create custom user roles in WordPress to help grow your WordPress skills.
Are you ready to enhance your WordPress hosting? Get started with a Bluehost hosting package today.
FAQs: WordPress user roles
WordPress has several user roles, including Super Admin, Administrator, Editor, Author, Contributor and Subscriber. Each role comes with specific permissions, determining what users can do on the site.
To manage roles, go to the WordPress dashboard, navigate to “Users,” and choose the user you want to edit. You can change their user role by selecting from a dropdown menu and saving the changes. Plugins like “User Role Editor” can provide more comprehensive management options.
You can set roles when registering a user by choosing from a dropdown menu, or after registration by editing the user’s role in the dashboard. Plugins can also help you customize or create new roles to fit your needs.
WordPress offers some user default role: Super Admin, Administrator, Editor, Author, Contributor and Subscriber. Each role has different capabilities, with the Super Admin having the highest level of control.
Yes! WordPress allows you to create custom roles to tailor user permissions based on your site’s specific requirements.
User roles determine what users can do in terms of editing and publishing content. For instance, Administrators can manage everything, while Contributors can only submit posts for review.
Yes, plugins like “User Role Editor,” “Members,” and “Advanced Access Manager” allow you to modify or extend the default user roles.
Plugins are available to track user activities, providing insights into what actions different roles are taking on your site. These tools are usually accessible to administrators.
WordPress categorizes users into six levels: Super Admin, Administrator, Editor, Author, Contributor and Subscriber. Each level has different capabilities, which define the tasks users can perform.
User roles are predefined sets of permissions. Permissions refer to specific actions users can perform, such as publishing posts or managing plugins. Roles group these permissions together and assign them to users.
Permissions dictate what actions users can take, depending on their role. For example, an Editor can publish and manage posts, while a Subscriber can only read content.
2 Comments
I checked my website and I see another administrator with email [email protected]. Should that administrator exist?
Hi Alex,
As long as you have yourself as an admin and that’s the only person you want as an admin, you don’t need any other administrators to exist. If you had someone set up your WordPress account for you, it’d be best to check with them to ensure that admin profile isn’t being used for anything else!