WordPress User Roles and Permissions: A Comprehensive Guide
At its core, WordPress is a collaborative platform. Even a simple blog might have a writer, editor, and site owner. Larger sites could include developers, designers, customer support reps, and more. User roles are predefined sets of permissions (called “capabilities”) that determine what actions a user can perform on your site.
For example:
- A “Writer” might need to create and edit their own blog posts but shouldn’t delete others’ content.
- An “Editor” might manage all content but shouldn’t access site settings like payment gateways.
- A “Subscriber” should only read content, not modify anything.
By assigning roles, you ensure that users have only the access they need (the “principle of least privilege”), reducing the risk of accidental mistakes (e.g., deleting a critical page) or malicious attacks (e.g., a hacked account with admin access).
WordPress comes with five default roles, but you can also create custom roles to fit your site’s unique needs. In the sections below, we’ll break down everything you need to know to master role management.
WordPress powers over 43% of the internet, and many of these websites aren’t solo projects. From small blogs with guest writers to large enterprise sites with teams of editors, developers, and content creators, managing who can do what on a WordPress site is critical for security, efficiency, and organization. This is where user roles and permissions come into play.
Whether you’re a site owner, developer, or administrator, understanding how to assign the right roles to the right people ensures that your site runs smoothly—preventing accidental changes, unauthorized access, and security breaches. In this guide, we’ll dive deep into WordPress user roles, default capabilities, custom roles, management tools, troubleshooting, and best practices. By the end, you’ll be equipped to manage user access like a pro.
Table of Contents#
- Introduction to WordPress User Roles & Permissions
- Default WordPress User Roles: Explained
- 2.1 Administrator
- 2.2 Editor
- 2.3 Author
- 2.4 Contributor
- 2.5 Subscriber
- Capabilities vs. Roles: What’s the Difference?
- Creating Custom User Roles
- Managing User Roles: Step-by-Step
- Troubleshooting Common User Role Issues
- Advanced Topics: Multisite, Plugins, and RBAC
- Best Practices for User Role Management
- Conclusion
- References
Default WordPress User Roles: Explained#
WordPress includes five built-in user roles, each with a specific set of capabilities. These roles are designed to cover common use cases, from solo bloggers to large teams. Let’s explore each in detail.
1. Administrator#
Role Summary: The most powerful role; has full control over the site.
Use Case: Site owners, lead developers, or trusted managers who need to configure settings, install plugins, and manage all users.
Key Capabilities:
manage_options: Access and modify all site settings (e.g., General, Writing, Reading, Media, Permalinks).install_plugins/update_plugins/delete_plugins: Install, update, or remove plugins.install_themes/update_themes/delete_themes: Install, update, or remove themes.manage_users: Add, edit, delete, or change user roles.edit_posts/edit_pages/edit_others_posts/delete_posts: Edit, delete, or publish any content (posts, pages, custom post types).import/export: Import or export site data.unfiltered_html: Allow unrestricted HTML in content (critical for developers).
What They Cannot Do: By default, nothing—Administrators have full access. However, some security plugins (e.g., Wordfence) may restrict certain actions (e.g., file editing) for added protection.
Example Scenario: If you hire a developer to build your site, you might temporarily assign them Administrator access. Once the site is live, you could downgrade them to a custom “Developer” role with limited capabilities.
2. Editor#
Role Summary: Manages all content on the site but cannot access site settings or user management.
Use Case: Content managers, editors, or team leads responsible for overseeing blog posts, pages, and media.
Key Capabilities:
edit_posts/edit_pages/edit_others_posts/edit_others_pages: Edit any post or page (including those by other users).publish_posts/publish_pages: Publish, unpublish, or schedule content.delete_posts/delete_pages/delete_others_posts/delete_others_pages: Delete any content.manage_categories/manage_tags: Create, edit, or delete categories and tags.upload_files: Upload media (images, videos, etc.).moderate_comments: Approve, unapprove, or delete comments.
What They Cannot Do:
- Access site settings (e.g.,
manage_optionscapability is denied). - Install/remove plugins or themes.
- Add, edit, or delete users.
- Modify user roles.
Example Scenario: A news site with multiple writers would assign the Editor role to a senior staff member who reviews, edits, and publishes all articles before they go live.
3. Author#
Role Summary: Can create, edit, and publish their own content but cannot modify others’ work.
Use Case: Guest bloggers, freelance writers, or team members who contribute regularly but don’t need oversight responsibilities.
Key Capabilities:
edit_posts: Edit their own posts (drafts and published).publish_posts: Publish their own posts (no need for approval).delete_posts: Delete their own posts.upload_files: Upload media for their own posts.
What They Cannot Do:
- Edit or delete posts/pages by other users.
- Access site settings, plugins, or themes.
- Manage categories/tags (unless granted via custom capabilities).
- Moderate comments (unless granted).
Example Scenario: A food blog with guest contributors would assign the Author role to each writer, letting them publish their own recipes without needing an editor’s approval.
4. Contributor#
Role Summary: Can write and edit their own drafts but cannot publish content. Published content requires approval from an Editor or Administrator.
Use Case: New writers, interns, or users who need to submit content for review before publication.
Key Capabilities:
edit_posts: Edit their own draft posts.read: View published content on the site.
What They Cannot Do:
- Publish posts (must submit for review).
- Delete posts (even their own published ones).
- Upload media (unless granted via custom capabilities).
- Edit or delete others’ content.
Example Scenario: A university blog might use the Contributor role for students, who submit articles to professors (Editors) for review and publication.
5. Subscriber#
Role Summary: The most limited role; can only read content and manage their own profile.
Use Case: Site visitors who register for access to member-only content, newsletters, or forums.
Key Capabilities:
read: View published content.edit_profile: Update their own user profile (name, email, password).
What They Cannot Do:
- Create, edit, or publish any content.
- Access the admin dashboard (by default—some plugins may restrict this further).
Example Scenario: An online magazine with a “premium content” section would let subscribers register, log in, and read articles, but they can’t modify any site content.
Capabilities vs. Roles: What’s the Difference?#
While roles are the “groups” of permissions you assign to users, capabilities are the individual permissions that define what a user can do. For example:
- The “Editor” role includes the
publish_postscapability. - The “Author” role also includes
publish_posts, but notedit_others_posts.
Think of roles as “job titles” and capabilities as “job duties.” WordPress core defines hundreds of capabilities, and plugins/themes often add their own (e.g., manage_woocommerce for WooCommerce sites).
Common WordPress Capabilities#
Here are some of the most important core capabilities and what they control:
| Capability | Description |
|---|---|
manage_options | Access all site settings (General, Writing, etc.). |
edit_posts | Edit own posts (drafts and published). |
edit_others_posts | Edit posts by other users. |
publish_posts | Publish or schedule own posts. |
delete_posts | Delete own posts. |
delete_others_posts | Delete posts by other users. |
upload_files | Upload media (images, PDFs, etc.). |
manage_categories | Create, edit, or delete categories/tags. |
moderate_comments | Approve, unapprove, or delete comments. |
install_plugins | Install new plugins. |
manage_users | Add, edit, or delete users. |
read | View published content (granted to all roles except “No Role For This Site”). |
How Roles Map to Capabilities#
To see exactly which capabilities are assigned to each default role, WordPress provides a built-in function called get_role(). For example, to check Editor capabilities:
$editor_role = get_role( 'editor' );
var_dump( $editor_role->capabilities ); This would output an array like:
array(
'edit_posts' => true,
'edit_others_posts' => true,
'publish_posts' => true,
// ... other capabilities
)
You can also view this in the admin using plugins like User Role Editor (more on this later).
Creating Custom User Roles#
While default roles work for many sites, you may need custom roles to fit unique workflows. For example:
- A “Reviewer” who can edit others’ drafts but not publish.
- A “Support Agent” who can reply to comments but not edit posts.
- A “Developer” who can access plugins/themes but not user management.
Custom roles can be created via plugins or code.
Using Plugins to Create Custom Roles#
Plugins are the easiest way to create custom roles, even for non-developers. Here are two popular options:
1. User Role Editor#
User Role Editor (URE) is a free plugin that lets you edit, create, and delete roles via a user-friendly interface.
Steps to Create a Custom Role with URE:
- Install and activate the plugin.
- Go to Users → User Role Editor.
- Click Add Role.
- Enter a Role Name (e.g., “Reviewer”) and Display Name (e.g., “Content Reviewer”).
- Select a Base Role (e.g., “Contributor” to inherit its capabilities) or start from scratch.
- Check/uncheck capabilities to define the role (e.g.,
edit_others_poststo let reviewers edit others’ drafts, but uncheckpublish_poststo prevent publishing). - Click Update to save the role.
Pro Tip: Use the “Filter” option to search for specific capabilities (e.g., type “comment” to see comment-related permissions).
2. Members#
Members is another popular free plugin by Justin Tadlock, focused on role management and content restriction.
Steps to Create a Custom Role with Members:
- Install and activate Members.
- Go to Members → Roles.
- Click Add New Role.
- Enter a name, slug, and description.
- Select capabilities from the checklist (e.g.,
edit_others_posts,moderate_comments). - Click Add Role.
Members also lets you restrict content (e.g., pages/posts) to specific roles using shortcodes like [members_access role="reviewer"]This content is for reviewers only.[/members_access].
Manually Creating Roles with Code#
For developers or advanced users, you can create custom roles using WordPress’s add_role() function. This is ideal if you want to include role creation in a theme or plugin.
Example: Create a “Reviewer” Role
Add this code to your theme’s functions.php file or a custom plugin:
function add_reviewer_role() {
// Check if the role already exists to avoid duplicates
if ( ! get_role( 'reviewer' ) ) {
add_role(
'reviewer', // Role slug
'Content Reviewer', // Display name
array(
'read' => true, // Allows access to the admin dashboard
'edit_posts' => true, // Edit own posts
'edit_others_posts' => true, // Edit others' posts
'moderate_comments' => true, // Moderate comments
'upload_files' => true, // Upload media
// Deny publishing capabilities
'publish_posts' => false,
'delete_posts' => false,
'delete_others_posts' => false,
)
);
}
}
add_action( 'init', 'add_reviewer_role' ); Note: To remove a custom role, use remove_role( 'reviewer' );. Always test code in a staging environment first!
When to Use Custom Roles#
Custom roles are useful when:
- Default roles are too broad (e.g., you need an Editor who can’t delete content).
- You have unique workflows (e.g., a “Social Media Manager” who can schedule posts but not edit others’ work).
- You need to restrict access to plugin-specific features (e.g., WooCommerce’s
manage_woocommercecapability).
Managing User Roles: Step-by-Step#
Now that you understand roles and capabilities, let’s walk through how to manage users and assign roles in the WordPress admin.
Adding a New User and Assigning a Role#
- Go to Users → Add New.
- Enter the user’s Username, Email, and (optional) First Name / Last Name.
- Under Role, select a role from the dropdown (e.g., “Author”).
- Choose a password method:
- Send the new user an email about their account: WordPress will auto-generate a password and send login instructions.
- Set a password yourself: Click “Show password” and enter a strong password.
- Click Add New User.
The user will now have access to the site with the assigned role’s capabilities.
Editing or Changing a User’s Role#
- Go to Users → All Users.
- Hover over the user’s name and click Edit.
- Scroll to the Role section.
- Select a new role from the dropdown.
- Click Update User to save changes.
Pro Tip: To quickly change roles for multiple users, use bulk actions:
- Check the boxes next to users.
- Select Change role to… from the bulk actions dropdown.
- Choose a role and click Apply.
Deleting Users and Reassigning Content#
When you delete a user, WordPress asks you to reassign their content to another user (to avoid orphaned posts/pages).
- Go to Users → All Users.
- Hover over the user and click Delete.
- Select a user from the Reassign posts to dropdown (e.g., “Editor”).
- Click Confirm Deletion.
Warning: Deleting a user is permanent! Always back up your site first.
Bulk Managing User Roles#
For sites with many users (e.g., 50+), bulk role management saves time. Plugins like Bulk User Management let you:
- Import users from a CSV and assign roles.
- Update roles for users in bulk.
- Filter users by role, registration date, or activity.
Troubleshooting Common User Role Issues#
Even with careful setup, role-related issues can arise. Here’s how to fix the most common problems.
User Can’t Access a Feature (e.g., Plugins Menu)#
Issue: A user with Administrator role can’t see the Plugins menu.
Causes:
- The user’s role lacks the
install_pluginscapability (check via User Role Editor). - A security plugin (e.g., iThemes Security) is hiding the menu for non-super admins.
- The user is on a multisite network and isn’t a Super Admin.
Fix:
- Use User Role Editor to verify the
install_pluginscapability is enabled for their role. - Temporarily deactivate security plugins to check for conflicts.
- On multisite, ensure the user is added as a Super Admin (Network Admin → Users).
Role Changes Not Saving#
Issue: When you try to change a user’s role, the page refreshes but the role stays the same.
Causes:
- Plugin conflict (e.g., a user management plugin overriding changes).
- Corrupted user meta data.
- Server-side caching (e.g., Redis or Varnish).
Fix:
- Deactivate all plugins and test role changes again. Reactivate plugins one by one to find the culprit.
- Use phpMyAdmin to check the
wp_usermetatable for thewp_capabilitiesentry (ensure it matches the desired role). - Clear your site’s cache (plugin, server, or CDN).
Content Disappearing After Role Changes#
Issue: A user’s posts vanish after their role is downgraded (e.g., from Author to Contributor).
Cause: Contributors can’t edit published posts, so the user’s published content is hidden from their dashboard (though it still exists on the site).
Fix:
- Reassign the user’s posts to another user (e.g., an Editor) before downgrading their role.
- Use a plugin like User Role Editor to grant the
edit_published_postscapability to the Contributor role (not recommended for security).
Plugin Conflicts with Permissions#
Issue: A plugin (e.g., WooCommerce) isn’t working as expected for a user with a custom role.
Cause: Plugins often add their own capabilities (e.g., manage_woocommerce for WooCommerce). If the user’s role lacks these, the plugin may restrict access.
Fix:
- Check the plugin’s documentation for required capabilities (e.g., WooCommerce Roles and Capabilities).
- Use User Role Editor to add the missing capabilities to the user’s role.
Advanced Topics: Multisite, Plugins, and RBAC#
7.1 Multisite User Roles (Super Admin)#
WordPress Multisite lets you manage multiple sites from one dashboard. It adds a sixth role: Super Admin.
Super Admin Capabilities:
- Manage the entire network (sites, users, plugins, themes).
- Assign roles across all sites in the network.
- Access network-wide settings (e.g., domain mapping, user registration).
Default Roles in Multisite:
- Super Admin: Network-level control.
- Administrator: Controls a single site (but not the network).
- Editor/Author/Contributor/Subscriber: Same as single-site, but scoped to individual sites.
How to Add a Super Admin:
- Go to Network Admin → Users.
- Click Add User or edit an existing user.
- Check the Grant Super Admin privileges box.
- Click Add User or Update User.
7.2 Role-Based Access Control (RBAC) Plugins#
For enterprise-level sites, basic role editors may not be enough. RBAC plugins offer advanced features like:
- Conditional capabilities (e.g., “Editors can only edit posts in Category X”).
- Time-based access (e.g., “Temporary Editor access for 30 days”).
- Audit logs for role changes and user actions.
Popular RBAC plugins:
- PublishPress Capabilities (paid): Advanced role management with content restrictions.
- Advanced Access Manager (free/premium): Granular control over menus, widgets, and custom post types.
7.3 Membership Plugins and Role Integration#
Membership plugins like MemberPress or Paid Memberships Pro let you tie roles to subscription plans. For example:
- Free subscribers get the “Subscriber” role.
- Paid members get the “Premium Member” role with access to exclusive content.
How It Works:
- Create a custom role (e.g., “Premium Member”) with restricted content capabilities.
- In the membership plugin, map the subscription plan to the role.
- When a user signs up for the plan, their role is automatically updated.
7.4 REST API and Permissions#
The WordPress REST API allows external apps (e.g., mobile apps, headless sites) to interact with your site. Permissions here are controlled by capabilities, just like the admin dashboard.
Example: To fetch a post via the API, the requesting user needs the read capability. To create a post, they need create_posts.
Securing the API:
- Use plugins like WP REST API Controller to restrict endpoints by role.
- Always use authentication (e.g., OAuth2) for API requests.
Best Practices for User Role Management#
Proper role management is an ongoing process. Follow these best practices to keep your site secure and efficient.
8.1 Conduct Regular Role Audits#
Every 3–6 months, review all users and their roles:
- Remove inactive users (e.g., contributors who haven’t posted in a year).
- Downgrade roles for users who no longer need elevated access (e.g., a developer who finished their project).
- Use plugins like WP Activity Log to track role changes and suspicious activity.
8.2 Limit Administrator Access#
The fewer Administrators you have, the lower the risk of a compromised account causing damage. Aim for 1–2 Administrators per site, and use custom roles for others.
8.3 Use Strong Passwords and 2FA#
Even with proper roles, weak passwords are a major risk. Enforce:
- Passwords with at least 12 characters (mix of letters, numbers, symbols).
- Two-factor authentication (2FA) via plugins like Wordfence or Google Authenticator.
8.4 Test Roles in Staging First#
Before assigning new roles on your live site, test them in a staging environment. This ensures:
- Users have the right access (no missing capabilities).
- No content is accidentally hidden or deleted.
8.5 Document Role Responsibilities#
Create a simple guide for users explaining their role’s capabilities (e.g., “As an Author, you can publish your own posts but not edit others’”). Tools like Notion or Google Docs work well for this.
Conclusion#
User roles and permissions are the backbone of secure, efficient WordPress site management. By understanding default roles, creating custom ones when needed, and following best practices, you can ensure that users have exactly the access they need—no more, no less.
Whether you’re running a small blog or a large enterprise site, taking the time to master role management will save you from headaches (and security breaches) down the line.