Beginner’s Guide to WordPress User Roles and Permissions

WordPress allows you to easily add new users to your website. Depending on the role and permissions you assign them, these users can then work on your site.

Many new WordPress users aren’t aware of these user roles and permissions. We have seen them give strangers full admin access to their business websites, compromising sensitive customer and business data.

In this article, we’ll explain WordPress user roles and permissions in detail and teach you which user role to assign when adding new users.

What Are WordPress User Roles and Permissions?

Using WordPress user roles and permissions correctly gives you complete control over your WordPress website and can help improve your website security.

WordPress allows you to add multiple users to your website. You can also open user registration on your website so that other users can sign up.

When adding a new user to your website, you can choose a user role for them. You can also set a default user role for your site, which will be automatically assigned to new users who sign up for an account.

Each user role comprises specific capabilities, or permissions, that spell out the actions a user can take on your website.

There are five default user roles available in WordPress:

1. Administrator
2. Editor
3. Author
4. Contributor
5. Subscriber

You can see a complete visual comparison between each user role by viewing the infographic below:

Alternatively, you can read the summary of each user role and their capabilities and permissions below.

1. Administrator Role

On a regular WordPress website, the administrator role is the most powerful user role. Users with the administrator role can add new posts, edit posts by any users, and delete those posts.

Plus, they can install, edit, and delete plugins and themes.

Most importantly, admin users can add and delete users and change information about existing users, including their passwords.

This role is reserved for site owners and gives you full control of your WordPress website.

If you are running a multi-user WordPress site, you need to be very careful who you assign the administrator user role to.

Can I Share Admin Access With a Developer?

From our experience, creating a staging website under the same hosting account is somewhat safer. It allows developers to have the same web hosting environment to test their code but without the right to publish anything on your live website.

Alternatively, you can share an empty website under the same hosting account with the developers to work on. This way, they will not have access to the data stored on your website.

For more information, see our article on sharing admin access with plugin developers.

2. Editor Role

Users with the editor role in WordPress have complete control over the content sections of your website.

They can add, edit, publish, and delete any post on the site, including those written by others. An editor can also moderate, edit, and delete comments.

Editors cannot change your site settings, install plugins and themes, or add new users.

3. Author Role

Users with the author role can write, edit, and publish their own posts. They can also delete their own posts, even if they have already been published.

Authors cannot create new categories when writing posts, but they can choose from existing ones and add tags to their posts.

Authors can view comments, even those pending review, but they cannot moderate, approve, or delete any comments.

They do not have access to site settings, plugins, or themes, so it is a relatively low-risk user role. The only exception is the ability to delete their own published posts.

4. Contributor Role

Users with the contributor role can add new posts and edit their posts, but they cannot publish any posts.

When writing posts, they can choose from existing categories and create their tags.

The most significant disadvantage of the contributor role is they cannot upload files, so they can’t add images to their posts.

Contributors can also view all website comments, but they cannot approve or delete comments.

Finally, they don’t have access to website settings, plugins, or themes, so they cannot change any settings on your site.

5. Subscriber Role

Users with the subscriber role can log in to your WordPress site, update their user profiles, and change their passwords.

They can’t write posts, view comments, or do anything else inside your WordPress admin area.

This user role is particularly useful if you have a membership site, online store, or another site where users can register and log in.

If you want to create a custom login experience for your visitors, then see our guide on how to add a front-end login page and widgets in WordPress.

Bonus: Super Admin Role

This user role is only available on a WordPress multisite network.

Users with the super admin user role can add and delete sites on a multisite network. They can also install plugins and themes, add users, and perform network-wide actions on a WordPress multisite setup.

Think of it like having admin access to every site in the network.

How to Customize Existing User Roles and Permissions in WordPress

The default WordPress user roles have capabilities that will work for most WordPress websites and blogs.

For example, if you run a magazine website, then the ‘Editor’ role can be assigned to senior staff, the ‘Author’ user role can be for junior writers, and the ‘Contributor’ role can be for guest writers.

But sometimes, you might want to customize the permissions and capabilities assigned to the role to meet the specific needs of your website.

Like the default author role, which lets users publish their posts and also gives them the ability to delete their published posts, you may want to remove the capability that lets authors delete their posts in this case.

There are some plugins that add specific roles to your website, such as a comment moderator user role plugin.

However, the easiest way to customize your WordPress user roles is to use the Members plugin. It lets you create, manage, and change user roles across your website.

The first thing you need to do is activate and install the plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.

Upon activation, you will have a new menu item called ‘Members’ in your WordPress admin panel.

You need to go to Members » Roles and click on the user role you want to edit.

In this example, we will be editing the ‘Author’ role, but you can choose the best role for your needs.

This brings you to a screen where you can fully customize the capabilities for that role.

To remove a capability for the role, check the ‘Deny’ box. If you want to add a new capability, check the ‘Grant’ box.

Here, we will check the ‘Deny’ box for the Delete Posts user capability.

If you don’t check a box for an available role, that user won’t have that capability.

Once you have finished customizing your role, click the ‘Update’ button.

The changes you make will automatically apply to all existing users with that role and to all new users to whom the role is assigned.

How to Create Custom User Roles in WordPress

Another thing you can do is create completely custom user roles in WordPress with unique sets of capabilities.

To do this, you will be using the same plugin as above.

Simply navigate to Members » Add New Role, and give your new role a name.

For instance, you can create a developer role that you can give to a WordPress developer with specific permissions granted.

The left-hand column has different sections that have lists of available capabilities. We will select the ‘Appearance’ tab and then add capabilities to edit, install, and update themes.

After that, click the ‘Add Role’ button to save the user role.

Next, you can create a new user and assign them the new user role.

To do this, go to Users » Add New and fill in your new user information.

At the bottom of the screen, you will see a ‘User Roles’ section.

Now, you can check the boxes for the user roles you want to assign to the new user and then click the ‘Add New User’ button.

Now, you have created a new custom WordPress user role and assigned it to a new user.

For more details, see our guide on how to add new users and authors to WordPress.

If you want to create a WordPress user role that’s only for moderating comments, then see our guide on how to allow blog users to moderate comments in WordPress.

We hope this article helped you understand user roles and permissions. You may also want to see our guide on how to prevent authors from deleting posts, or take a look at our tutorial on limiting authors to their own posts.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.