WordPress User Roles & Permissions: The Essential Guide

>>> Shared from Original Post iThemes

WordPress user roles and permissions offer access controls and privileges for your website. From Super Admin to Subscriber, every WordPress user who logs in to your website has a specific set of permissions or capabilities assigned.

But how familiar are you with WordPress user roles, what each of them means, and why it’s so important that you use each of them the correct way? If you don’t yet have a full grasp on user roles within the WordPress platform, you’re not alone. Many WordPress site owners don’t take full advantage of the power of WordPress user roles and permissions while managing their sites.

In this guide, we’ll cover everything you need to know for understanding WordPress user roles and permissions. Let’s take a deeper look.

In this guide

    What Are WordPress User Roles?

    WordPress user roles define the level of access and capabilities that a user can utilize to log in, view, edit or manage a WordPress site.

    A capability is a specific function or a set of actions that a user is permitted to complete. Each WordPress user role is clearly defined, so there are no misunderstandings about the things each user role can access and the tasks they can perform.

    Within WordPress, you’ll see that there are six WordPress user roles that you can select from for each new user you add to your website. The user role you choose for each individual user depends on the level of permission and access you want them to have on your site.

    Wordpress user roles

    For example, a WordPress user role defines capabilities such as:

    • Who can manage comments
    • Who can write blog posts
    • Who can add pages
    • Who can install or update plugins or themes
    • Who’s allowed to add new users
    • Which team members can delete spam

    While you may have ignored WordPress user roles and permissions up until now, the truth is that understanding each role is essential, no matter if you’re in charge of a corporate website, news magazine, or running a personal blog.

    The 6 WordPress User Roles

    The six main WordPress user roles available in WordPress are:

    1. Super Administrator
    2. Administrator
    3. Editor
    4. Author
    5. Contributor
    6. Subscriber

    Before we go any further, let’s look at each one of them in detail.

    1. Super Administrator

    This Super Administrator role in WordPress is reserved for WordPress multisite networks. Individuals that are assigned as Super Administrator role have full responsibilities for all sites within the network and can manage all site features within each site.

    Super Administrators have the power to delete other users (even Administrators), so it’s important to only assign this role to team members that you really trust. A Super Administrator can impact (negatively or positively) many parts of your business, including your network and the other users that run your site.

    A Super Admin can also create new websites, manage themes and plugins across the multisite network, add, manage or delete content on every site. The Super Admin controls the network with all settings and security issues. The first user setting up the multisite network is the default Super Admin.

    Just note that WordPress multisite networks are one of the most advanced ways of using WordPress as a content management system. If you don’t have a multi-site network, you won’t need to use the Super Administrator role for any of your users.

    If an additional Super Admin is needed, granting a user the role is quite simple.

    1. Locate the user by email or name search.
    2. Click the “EDIT” link under the person’s name.
    3. Select “Grant this user super admin privileges for the Network.”

    If you manage multiple WordPress sites, save time managing users and WordPress updates more with iThemes Sync.

    WordPress Super Admin User Role Tips

    • Within a WordPress multisite network, keep the organization of your user roles simple. A single user with just a couple of sites only needs the default Super Admin. As the organization grows, then create meaningful user roles for employees.
    • There are many ways to configure a multisite network and its users. If you are an agency or freelancer with multiple sites, assign each client the Administrator or Editor role for a specific site.
    • Concentrate on WordPress user security checks from the first login. WordPress is a favorite target for experienced hackers, and sophistication is growing in the world of malware and virus attacks. Browser fingerprinting is also a rising threat to privacy.
    • Control network-wide settings with caution. Plan the new user registrations and welcome emails with care.

    2. Administrator

    In a single WordPress installation, the Administrator user role has full access to every feature within the site. For most site owners, the WordPress Administrator role is the most significant user role in WordPress.

    The site Administrator role is almost always assigned to the website owner and/or the main developer and has access to all of the WordPress features, settings and options. For all intents and purposes, the Administrator is King and Chief of your WordPress site. That’s why having a good handle on the responsibilities of being a WordPress admin is a good idea.

    The WordPress administrator role has full access to add and edit posts and pages, change or update site settings, add and install themes and plugins, and much more.

    The WordPress Administrator role can also update WordPress along with any plugins and themes installed on the site. The WordPress update process is an area that needs to be approached with caution; a single mistake can take down the site.

    The Administrator is also in charge of assigning user roles and permissions to other users. The Administrator user role can modify users and their permissions which is another function to handle with care.

    Administrator Capabilities Explained

    1. Site-Wide: Update WordPress core files, manage all settings, manage HTML and JavaScript code for all users
    2. Plugins: install, edit, and delete
    3. Themes: install and switch, edit widgets and menus, access the customizer
    4. Users: create, edit, and remove
    5. Posts and Pages: add new, publish, manage taxonomies

    Administrator User Tips

    • Limit the number of users given the Administrator user role. Ideally, there should only be one user who controls the WordPress installation.
    • Your WordPress security begins and ends with the Administrator user role. Since WordPress administrators have full access to all things on the site, a WordPress admin needs a very secure WordPress login. This means using a strong password, two-factor authentication or even a passwordless login feature provided by a WordPress security plugin like iThemes Security Pro.
    • WordPress admins must keep WordPress core files updated and secure. Administrators are also responsible for keeping plugins and themes updated, an important part of successful WordPress maintenance.
    Get the bonus content: The Ultimate WordPress Maintenance Checklist

    3. Editor

    The Editor user role in WordPress is responsible for managing and creating content for your WordPress site. An Editor can create, delete and edit any site content including content that was produced by other users with permissions equal to or lower than Editor.

    Editor users manage all site edits and approve/schedule content submitted by Contributors and Authors. However, an Editor doesn’t have any access to things such as plugins, widgets, WordPress settings, or adding or removing users.

    An Editor’s job involves one major thing: content. And that’s all they’ll be able to access in the WordPress dashboard. Editors can also manage categories on the site along with adding or deleting custom tags. Taxonomies and uploading files to the site is another responsibility of the Editor role. Editors also have full control of comments. They can moderate, approve, or delete any comment.

    Who Should Have the Editor User Role?

    The Editor’s role should go to someone Administrator’s trust. Roles can be tweaked throughout WordPress; if needed, permissions of the Editor role can be reduced or changed as trust is gained.

    • The manager of a content team or online publication
    • Marketing managers responsible for content
    • Small business owners can wear both hats (Administrator and Editor user role)

    Editor vs. Author

    New users may see WordPress Editors and Authors in the same light. In many ways, they are however, there are differences.

    • Pages: Editors have access to all pages with permission to add, edit, or delete. Authors have no such access
    • Content: Editors have access to all content on the site. In a multisite network, only the permissions given the Editor role. Editors can delete or edit all content. Authors have access to edit or delete, only the content they have produced

    4. Author

    As you probably suspected, the Author user role in WordPress has the ability to write, draft and publish new content on your site. They also have access to content in your WordPress media library. They’ll need this level of access to produce great blog posts.

    The Author user role is normally assigned to new associates that you hire to focus on pushing out great content. Authors have a limited set of permissions within a WordPress installation. The role can add, edit, or delete their content, but have no access to other content, or site settings. Author roles can be as extensive or limited as the Editor or Administrator allows. The authors have permission to upload content and images.

    The Author role also has the power to edit reader comments. However, they can only edit comments that are left on their posts.

    Authors won’t be able to access posts or pages created by other users. They also can’t add plugins, create any new categories, change site settings or do anything else that will impact site performance.

    Who Should Have the Author User Role?

    • Organizations that have dedicated content creation or marketing teams such as reporters, public relations, company spokespeople
    • Any company that distributes information such as a news channel, or sports companies should give reporters the Author role. Additional permissions can be given on an as-needed basis

    A Note of Caution For the Author Role

    • Be cautious giving the user role of Author to someone who is NOT in your employ or untrustworthy. If they have created a lot of content and then leave the company, the Author can delete every bit of content.
    • It is always a best practice to delete ANY Author user role leaving the site and reassign the content to another Author. If a user is leaving with plans to return, change the password immediately and take away any granted permissions. Reinstate the role when the user returns.

    5. Contributor

    The Contributor user role can write blog posts or articles but can’t publish them. When they complete a draft, it goes into the draft section for an Administrator or Editor to review before publishing.

    The Contributor user role has very few permissions in a WordPress installation. The default permission is the ability to submit content for review. Contributors cannot publish the content or upload any associated images. Only an Editor or an Administrator can publish the content. Once the content is published, a Contributor no longer has access to that content.

    Contributors submit their content to either an Administrator or Editor for review. Here is an overview of the post submit and approval process:

    1. Contributors write their content in the WordPress Editor and when completed, hit the “Submit for Review” button
    2. Editors or an Administrator logs into WordPress and locates the post from pending approvals
    3. The post is edited for any grammatical errors and images should be inserted at this stage. The Admin or Editor then hits the “Publish” button.
    4. Any future edits or changes need to be done by the Administrator or Editor because the original Contributor no longer has access to the post.

    A Contributor also won’t have any access to the WordPress media library. Adding photos, images or videos to an article submitted by a Contributor will be up to an Admin or Editor.

    Those assigned permissions as a Contributor also can’t delete, alter or approve user comments.

    Who Should Have the Contributor User Role?

    Do you have community members that contribute articles and content to your site? Do you allow guest posts? If so, Contributor is the role you’d assign them.

    • Writer’s outside the organization who can contribute to the blog
    • Entry-level content writers that need heavy editing should be contributors

    Contributor vs. Author

    • Publishing content: Authors have the permissions to publish and edit their content and no other. Contributors can only submit their posts for review. Once a Contributor’s content is published, only the Administrator or Editor can edit the piece
    • Media and images: Contributors have no access to images or media. Authors can upload and edit their media

    6. Subscriber

    The Subscriber user role is the most bare-bones user role you can assign to someone on your WordPress site. In fact, WordPress uses this role as the default one for all new site users.

    You can think of the Subscriber role similarly to one of your social media followers. Basically, a Subscriber follows your blog and wants to be a part of it.

    Subscriber Capabilities

    There are two main permissions for the WordPress Subscriber role. They can view their profile and view the dashboard. Subscribers have no permissions to edit content or any WordPress site settings.

    Depending on the overall functionality of your site, a Subscriber may be able to interact with other users and Subscribers, but they don’t have any access to your WordPress dashboard or editing tools.

    Subscribers can be used as an inclusionary or entry-level access tool for marketing purposes. By default, Subscribers have no access to any site settings or content, making the role inherently safe.

    As a marketing tool, the Subscriber role is a perfect entry point to your site. It is the most restrictive role; however, it gives the person a profile, which is all a person needs to feel included. There are a lot of plugins that can expand on the basic Profile.

    How Do I Add a New User in WordPress?

    Adding a new user in WordPress is a pretty straightforward process. This is where you will initially assign the user a role and permissions.

    Of course, as an Administrator, you can always change the user’s role later on if better suits your needs. More on that in a minute.

    The steps to add a new user to your WordPress site are as follows:

    1. Login to the WordPress Admin dashboard (https://example.com/wp-admin).

    2. In your Admin control panel, click on the Users section.

    3. From here, click on Add New.

    4. Enter the new user’s name, email address, first and last name and website.

    5. Select the user role as defined above.

    6. Click the checkbox in front of “send the new user an email about their account.”

    7. Click the Add New User button and the new user is added.

    Repeat these steps for each new user, paying close attention to the user roles and permissions you assign to each.

    A Few Tips For Adding New WordPress Users

    Author, Contributor, and Subscriber roles are straight forward in their creation and permissions. The Super Admin, Administrator, and Editor positions can be a major area of strength for the organization if carefully considered and plotted out.

    • Multi-site installations should have one Super Admin, regardless of the number of additional sites. If there is any security, user, or core file issue, Super Admins are responsible. Security should be on the mind of every person involved with a website. WordPress is exceptional in the way it updates core files and security; however, having multiple Super Admins can cause havoc
    • Designate a single Administrator or Editor for each additional site in a multisite network. If there are hundreds of virtual sites, give Administrators or Editors more than one site to manage
    • Freelance web developers selling sites or Agencies should give Administrator duties to each site owner, but strictly forbid access to any network setting

    How Do I Find User Roles in WordPress?

    For existing users, you may want to look into the user roles that are currently assigned. After all, some of these roles may have been assigned before you had a thorough understanding of WordPress user roles and permissions.

    Now is the time to verify your currently assigned user roles.

    To do this, simply follow these steps:

    1. Login to the WordPress admin dashboard.

    2. In your Admin panel, click on the Users section.

    3. Click on All Users.

    4. View the list of all of your current users.

    5. Next to the Email column, you’ll see Role. This is the user role assigned to each site user.

    Now that you’re aware of the role assigned to each user, perhaps you want to make a few assignment adjustments.

    How Do I Change User Roles in WordPress?

    A user role change is immediate and the user will be notified by email of their new role on your site.

    To change a user role, follow steps 1-4 above. Once you’re viewing the list of all of your site users, you’ll want to:

    1. Hover over the name of the user you want to update. Upon hovering over the selected user, you’ll get edit options presented to you.

    2. After clicking to edit, you’ll be able to change fields such as name, email and website. You cannot, however, change a username here.

    3. At the bottom of the user profile, you’ll see a dropdown menu that allows you to change/select the user role.

    4. Choose the new user role.

    5. Save the user profile.

    The role and permission changes are implemented by WordPress the instant you save them.

    How Do I Delete An Existing User?

    There will probably be times when a user needs to be removed completely from your site.

    Perhaps you hired a temporary freelance Editor to provide editing services for your site over the course of two months. When the two-month time period expires and the contract is up, you no longer want the freelancer to have access to your site.

    To delete this user and remove all of their permissions to your website, follow steps 1-4 listed above for finding a user.

    After you locate the user that will be deleted, hover over their name and click on the delete option.

    After you confirm the deletion, the user will be notified via email that they have been removed from your site. They’ll no longer have any credentials to log in.

    It’s important to note that you cannot delete yourself or other Administrators (unless you’re a Super Administrator on a multi-site account).

    How Do I Manage User Roles in WordPress?

    The way you choose to manage user roles and permissions on your WordPress site is completely up to you. After all, who knows your team members abilities and limitations as well as you do?

    Before you choose the roles that are appropriate for each user on your site, step back and ask yourself a series of questions about them.

    • Can the user be trusted to fully manage your WordPress dashboard?
    • Do you have trust in the user to properly organize the content on your site?
    • Do you need to review the user’s posts before they get published? Or do you trust their judgment?
    • Should the user have the capability of editing and publishing posts from other users?

    Before assigning a new user to the Administrator role, it’s important that they have a thorough understanding of the WordPress platform.

    Strongly consider getting formal WordPress training for users that will take on the roles and permissions of Administrators.

    WordPress User Security

    The security of the users on your website matters. A a lot! Why? A single Admin user with a weak password could undermine all of the other website security measures you have put into place. That is why it is so important for you to audit the strength of security used by the Administrator and Editor users on your website.

    The iThemes Security Pro plugin’s User Security Check allows you to quickly audit and modify 5 critical elements of user security:

    1. Two-Factor Authentication Status
    2. Password Age & Strength
    3. Last Time Active
    4. Active WordPress Sessions
    5. User Role

    In addition, the iThemes Security Pro plugin has a ton of tools that you can use to increase the WordPress user security on your website. The Two-Factor Authentication and Password Requirements features alone protect your WordPress users from 100% of automated bot attacks.

    However, these two user security tools are only effective if the users on your website are actually using them.

    Get the bonus content: A Guide to WordPress Security

    WordPress User Role Plugins

    When you dive into WordPress user role plugins, you’ll find that a lot of the most popular plugins utilize and manage user roles and permissions outside of the main six roles we’ve discussed.

    There are plugins that allow you to make and assign custom user roles and groups. The plugins we’ll cover here are:

    • bbPress
    • BuddyPress
    • WooCommerce
    • iThemes Security

    They each work with customizable user roles in different ways.


    The bbPress plugin is a WordPress discussion forum that requires unique user roles outside of the main six offered within WordPress.

    The first user role built into the bbPress plugin, Keymaster, sits on top of the mountain. Keymasters are similar to the Administrator role in WordPress. They have access to all tools and settings, and can edit, create or delete the forums, topics, comments and replies of other users. The Keymaster is also a forum moderator and manages all tags.

    bbPress then offers the Moderator role. This role is responsible for creating, editing, deleting and moderating forums. They also have full control over user topics and replies. However, a Moderator doesn’t have access to site settings.

    A Participant is a member of the community. They can create and edit their topics and replies, but nothing else.

    Spectators can only read topics and replies. They can’t reply or get involved in other ways.

    Blocked users are ones that you simply don’t want in the community any longer.

    The bbPress plugin also allows you to make your own customized user roles (Pupil and Tutor, for example) by adding code into the codex. You will be able to assign your own customized permissions to each role you create. You can also change the names of the existing bbPress user roles.


    BuddyPress is a WordPress community plugin that allows you to build a social network within your own website.

    With the BuddyPress plugin, you’ll be able to make you own private, public and hidden groups. You can then assign user roles to manage your groups.

    The Member user role is the default role within BuddyPress. This gets applied to any user who signs up and joins a group. A user with a Member role can submit and post content to the group forums. In some cases, they can see other group members and send them invites or direct messages.

    A BuddyPress Moderator is an upgraded user role with additional permissions including closing, editing or deleting topics in the forum. But be careful, because they’ll also be able to do the same with content produced by other plugins you’re running on your WordPress site.

    As with the WordPress platform and other plugins, the Administrator role in BuddyPress has full control over groups and settings. An Administrator can change the settings in a group, the group avatar, and manage group members.They can also delete entire groups.


    WooCommerce is a highly popular WordPress plugin that will help turn your WordPress site into a robust ecommerce site.

    When you install WooCommerce on your site, you’ll instantly have the power to start listing products, posting product images, writing product descriptions and taking online orders.

    As such, WooCommerce offers two user roles that are outside of the standard six in WordPress. These roles are:

    • Customer: any user that signs up on your WooCommerce site or registers with you at checkout. Customers are very similar in permissions to Subscribers.
    • Shop Manager: this is the person that manages the WooCommerce shop but does not have Administrator permissions. They will automatically have Customer permissions but can also manage products that are listed in the store, as well as view sales reports.

    Pretty straightforward stuff.

    iThemes Security

    If you’re looking for a plugin that can provide fast and easy user role upgrading and downgrading capabilities, the iThemes Security plugin is definitely worth checking out.

    You can also use the plugin to save a lot of the time you spend securing your website with User Groups.

    How to Customize WordPress User Roles & Permissions

    Beyond the user roles we’ve already discussed, you can add more roles by using plugins designed to allow you to create custom user roles for WordPress. Here are a few plugins and tools to check out.

    iThemes Sync Client Dashboard

    iThemes Sync is a tool to help you manage multiple WordPress sites. With Sync, you have one dashboard to perform WordPress admin tasks for all your WordPress websites. Sync is especially helpful if you build or maintain websites for clients as an web design agency, marketing agency or freelancer.

    The iThemes Sync Client Dashboard feature was built to customize how a user sees the WordPress admin dashboard, which is a way of customizing WordPress user roles and permissions.

    For example, if you have a client that you want to make an Administrator, but don’t want to see certain areas of the site such as themes or plugins, you can accomplish this task with Client Dashboard.

    Client Dashboard can be activated on a per-user basis, and then you can select the WordPress dashboard menu items to allow that user to see. Pretty cool, right?

    User Role Editor

    If you want to customize your standard user roles in WordPress, the User Role Editor is a good plugin to look into. The User Role Editor will allow you to create your own roles, permissions and user capabilities.

    You can also use it to change or rename roles, or delete them altogether. The plugin has a free and a paid version.

    Advanced Access Manager

    Whether you’re running a huge WooCommerce store on your site or operating a standard WordPress blog, you may be looking for additional control over managing access to your content.

    User Access Manager could be the plugin to help you out. Advanced Access Manager can be used to set up a restricted member area of your site, utilizing user roles and permissions. It also assists you in managing users in the private sections of your site.

    Yoast SEO

    If your team is focused on improving the SEO (search engine optimization) of your content, the Yoast SEO plugin is a great place to start.

    This plugin allows you to create two non-standard user roles:

    • SEO Editor
    • SEO Manager

    Why are these two new user roles beneficial to you as a WordPress site owner?

    By assigning roles within Yoast SEO, you’ll empower your team to do SEO-related work without needing to manually track results or ask you to make site changes whenever needed.

    As Yoast’s blog says:

    “Two new roles, the SEO editor and SEO manager, make for a much more flexible solution when working with multiple people on your site. The Administrator can determine who gets to see and do what, while the users get the tools they need to do their work.”

    The Yoast SEO plugin is yet another tool that puts WordPress user roles and permissions at the forefront of administrative efficiency.

    Wrapping Up: Understanding User Roles and Permissions in WordPress

    To recap: The top three management user roles in a WordPress installation have areas of the site specifically designed for that position. Super Admins and Administrators control the dashboard and core files, and the site itself. While Editors control the content manager and other content. Authors and Contributors control only their content and no other. Subscribers can access only the content and permissions given to the role by the management positions.

    After studying the information in this article, you now have a much deeper understanding of user roles and permissions in the WordPress platform. As you can see, the roles you assign to each of your users plays a big part in how efficiently you run your website.

    But no matter how careful you are on making sure that all user roles are assigned to the best people, sometimes mistakes will happen. For example, when the new employee that you just assigned as an Administrator causes your site to crash when activating a new and untested plugin, a WordPress backup plugin like BackupBuddy will be an absolute life saver. Make sure to have your backup plugin installed and activated before a disaster like this happens.

    As with other areas of WordPress, properly assigning user roles and permissions will take a little trial and error. But with the information you’ve just learned, you’ll be making more informed decisions.

    Wordpress user roles

    The post WordPress User Roles & Permissions: The Essential Guide appeared first on iThemes.

    >>> Read the Full Story at iThemes