In order to use a WordPress site, there is a crucial requirement: (administrative) users. A WordPress user will be able to log into a WordPress site to carry out some tasks, from as simple as leaving comments to as high as changing the entire site layout.
There are five default user roles or hierarchies in every WordPress site, and these roles have different user levels of access and permissions (capabilities).
The five default WordPress user roles include:
- Administrator
- Editor
- Author
- Contributor
- Subscriber
Their Role in WordPress Site Security
WordPress user role is an essential but important security feature to control and restrict access to various aspects of actions of a WordPress site.
WordPress is designed to assign different levels of permissions and access control to registered users. Each user role has specific actions that they are allowed to perform on the site. This feature allows site owners to prevent unauthorized access to sensitive data and functionality that could compromise the integrity of the site.
Suppose a regular user or visitor is assigned a role that gives full access to your site, and the user gains access to other users’ sensitive data and steals them. In that case, that’s a breach of data compliance and regulations and will lead to serious legal consequences.
So, a WordPress site owner needs to understand the user roles and their capabilities to prevent unauthorized access by the wrong person.
Don’t worry. This guide will help you understand each WordPress user role, modify their permission, and create custom users.
Overview of Default WordPress User Roles
Let us quickly get you acquainted with the five (5) WordPress user roles, starting from the top level.
1. Administrator
The administrator user role in WordPress grants full access and control of the site. The administrator can manage and edit every aspect of the WordPress site, including the design, assigning and managing other user roles, etc. The first user of a WordPress site is usually the administrator, and most often, you get to provide the administrator username, password, and email address when setting up a WordPress site.
2. Editor
The Editor user role is the next in the hierarchy after administrator. The Editor role grants users the capability to publish and manage content on the site. This means that editors on a WordPress site have full access and control over all blog posts and pages, including tags, categories, and moderation of comments.
3. Author
The Author user role is lower than the Editor role in that the Author can publish and manage only their content on the site. The author can modify, unpublish, or delete only their posts, but they can’t do the same to posts created by other users.
4. Contributor
The Contributor user role is assigned to users who can create posts on the site but without the capability to publish them. Their content has to be reviewed and published by users higher up in the hierarchy. It is noteworthy to mention that Contributors are also restricted from adding media content to their posts.
5. Subscriber
The least default role in WordPress is the subscriber role, which is assigned to new users by default if account registration is enabled on your WordPress site. Subscribers can only submit comments and edit their profiles on your site. You can also grant subscriber users access to gated or unique content.
User Roles vs. Capabilities in WordPress
With a basic understanding of the default WordPress user roles, let’s break down the user roles and their capabilities.
| User Roles | Capabilities |
| Administrator | Site design and customizationSite settingsUpdate WordPress corePlugins and themes managementUser role managementFull content managementComment moderation |
| Editor | Full content managementApprove other users’ contentUpload media filesComment moderation |
| Author | Manage own contentUpload media files |
| Contributor | Submit textual posts |
| Subscriber | Leave comment |
Modifying and Extending User Roles in WordPress
Because of its flexibility, WordPress allows you to modify the default user permissions, as well as create custom user roles and delegate capabilities to them based on your site’s needs. You can use WordPress plugins to modify and create custom user roles or do it manually with code.
How to Add or Edit WordPress User Roles with Code
In WordPress codex, two (2) main functions allow you to add and edit WordPress custom user roles: the “add_role” and “remove_role” while two (2) additional functions allow you to add or remove capabilities for specific roles: “add_cap” and “remove_cap”.
Adding a New Custom User Role
To add a new custom user role and capabilities, you need to use the code format below in the function.php file of your active theme (or child theme) or a site-specific plugin file.
| <? phpfunction add_custom_user_role() { add_role( ‘custom_role’, // Role identifier ‘Custom Role’, // Display name array( ‘read’ => true, // Allows read access ‘edit_posts’ => true, // Allows editing posts ‘delete_posts’ => false, // Disallows deleting posts // Add more capabilities as needed ) );}add_action(‘init’, ‘add_custom_user_role’);?> |
Removing a Custom User Role
If you wish to delete a default or custom user role from your WordPress site, you can use the following code:
| <?phpfunction remove_custom_user_role() { remove_role(‘custom_role’); // Replace ‘custom_role’ with the role identifier you want to remove}add_action(‘init’, ‘remove_custom_user_role’);?> |
Note: The “remove_role” function only works for custom user roles and will not be able to remove default user roles like Administrator, Editor, Author, etc.
Editing Capabilities for an Existing User Role
To edit or remove existing capabilities for a user role in WordPress, use the “get_role” function to call the role object and then use the “add_cap” or “remove_cap” functions to modify it as shown below:
| <?phpfunction modify_editor_capabilities() { $role = get_role(‘editor’); if ($role) { $role->add_cap(‘manage_options’); // Adds capability to manage options $role->remove_cap(‘delete_others_posts’); // Removes capability to delete others’ posts }}add_action(‘init’, ‘modify_editor_capabilities’);?> |
You can check the WordPress documentation on user roles and capabilities for a list of possible capabilities that you can assign or unassign for your user roles.
Tools and Plugins for Role Management
There are several WordPress plugins for managing and enhancing user roles and capabilities in WordPress, including:
- User Role Editor
- Members
- PublishPress Capabilities
- Advanced Access Manager
- User Access Manager
- WordPress User Role Editor
- Simple Membership Plugin
- WPFront User Role Editor
- View Admin As
Other WordPress plugins can add custom user roles that are best suited for their functionality on your WordPress site. For example, WooCommerce will add the customer and shop manager custom user roles when installed on your site to identify buyers and users with the privilege to manage store settings, products, and reports of an online store.
Creating Custom User Roles
We already explained how to create custom roles with code, so now let’s see how to use plugins to create custom user roles. In this guide, we will be using the User Role Editor WordPress plugin, a popular user role management plugin with extensive capabilities.
To use the User Role Editor plugin for role management, you need to first install and activate the plugin on your WordPress site.
Next, navigate to Users > User Role Editor from the left Admin panel.
You will be taken to the plugin role management interface.
Click Add Role from the right panel.
Enter an ID and Display the Role Name for the custom role. (You can use the same name for the ID and role name for easy identification)
Click the Add Role button.
To assign capabilities to the new role, select the new custom role from the top dropdown menu.
Select the capabilities you want to add to the role.
Click Update and then Yes in the Confirm window.
You will be able to assign your newly created custom user role to an existing user from the user profile editor or when you make a new user.
Note: The User Role Editor also allows you to rename, delete, clone, and modify the capabilities of custom user roles.
Using Role-Specific Access to Improve UX and Workflow
You can use role-specific access to improve user experience (UX) and workflow in your WordPress site by granting each user the right level of access to specific areas, functionality, and tools they need to carry out their respective tasks. You will be able to mitigate risks from accidental changes by limiting users from unauthorized zones. You can use role-specific access for various actions that enhance productivity, including:
- Customize the user dashboard based on each role.
- Manage the submission, review, and publishing process of content creation.
- Grant security privileges to qualified users.
- Provide SEO specialists access to SEO optimization tools and settings only
- Create special teams for specific actions like customer support, client manager, etc.
- Create exclusive or gated content for premium users.
- Control visibility of Gutenberg blocks based on different user roles.
- Streamline specific notifications to specific user roles, such as “opened tickets” to customer support, “placed orders” to the sales and logistics team, etc.
- Provide role-specific guides, training, or documentation (e.g., for entry-level users or beginners).
Testing Role-Based Access and Permissions Before Going Live
You have to first test user roles and capabilities before implementing them on your live site to prevent any unexpected issues. The easiest way to test custom roles and permissions is by using a WordPress staging environment.
The best platform for WordPress staging is InstaWP. InstaWP allows you to set up a remote replica staging site away from your live server. You can safely edit and add new user roles, modify custom roles and capabilities, and test permissions without compromising the live site.
When done, you can sync your changes from the staging site to the live site, and your user roles configuration will be seamlessly deployed to the live site.
To create a staging site, install and activate InstaWP Connect on your live site.
Go to Tools > InstaWP and connect your WordPress site to your InstaWP dashboard. Then, click on Create Staging Site.
Select your preferred type of staging, and click Next Step.
Continue with the process, confirm your settings, and click Create Staging.
Once created, you can use the Magic Login button to log straight into the staging site.
You can then proceed with your user role and capabilities configurations and test their access and permissions to be sure everything is working fine before pushing them to live.
User Management via InstaWP Dashboard
InstaWP allows users to connect and manage multiple WordPress sites from one single dashboard. One of the site management features is user role management, which will enable you to easily add and modify users and their roles for any connected site from the InstaWP dashboard. So, if you have 24 sites, for example, you will be able to manage user roles using one dashboard instead of 24.
To add a new user to a connected site, click on the site and go to Settings > Manage > User > +Add User.
As you can see from the image, you can assign user roles to the user from your InstaWP dashboard, including existing custom user roles.
Best Practices for Managing User Roles on Large Sites
- Assign the Administrator user role to the site owner and developer.
- Assign user roles and permissions carefully. Users should only have the capabilities necessary to deliver their side of the job.
- Remove inactive users and unused or outdated custom user roles.
- Before deleting a user role, reassign the users with that role to another role first.
- Monitor and log users’ activities on your site to ensure users don’t have unmerited access to sensitive parts of the site.
Mistakes to Avoid When Managing User Roles
- Don’t create too many unnecessary custom user roles.
- Don’t modify your function.php file without first backing up your site.
- Don’t modify user roles without first testing it in a staging environment.
- Don’t create custom user roles with names conflicting with default WordPress roles.
- Don’t assign administrator roles to unqualified persons.
