WordPress roles & capabilities: understanding and auditing users

One of the simplest—but often overlooked—ways to keep your WordPress site secure is by limiting the number of users who have access to your dashboard as well as the permissions each user has.

WordPress refers to these as roles and capabilities.

A role defines a set of capabilities for a user. For example, what the user may see and do in his dashboard.1

By default, WordPress offers five user roles with specific capabilities for each role. However, there are many plugins available that extend this function, allowing you to create custom roles, edit the capabilities of existing roles, and more.

Keep reading to learn more about the default roles, plugin options for managing roles and capabilities, and best practices for managing users without compromising your site’s security.

WordPress roles & capabilities

The five user roles that are built into WordPress are intended to address the most common functions a user would perform on your site:

Subscriber

Screenshot of the WordPress dashboard for a user at the subscriber level

A subscriber is typically a reader or user of the site; this can be helpful when you make posts or pages private or designate certain content as members-only.

Capabilities:

  • read posts and comments on the site

Contributor

Screenshot of the WordPress dashboard for a user at the contributor level

The contributor role is often used for guest posters. It allows those users to compose, edit, and delete their own post drafts but not publish posts. Unfortunately, this default role doesn’t include media uploads, which can be a handicap for contributors who want to include images in their posts.

Capabilities:

  • same as above, plus
  • manage their own unpublished posts

Author

Screenshot of the WordPress dashboard for a user at the author level

Authors are trusted, regular contributors to the blog. They can draft posts, add images, and manage their own published posts. In addition, they can manage reusable blocks in the Gutenberg editor to make future post creation easier.

Capabilities:

  • same as above, plus
  • publish posts
  • manage their own published posts
  • upload files
  • manage reusable blocks

Editor

Screenshot of the WordPress dashboard for a user at the editor level

Editors assist the site owner in the management and publication of posts and can therefore manage both their own content as well as others’, moderate comments, and add additional coding to posts and pages.

Capabilities:

  • same as above, plus
  • manage other users’ posts & pages
  • manage categories
  • manage links
  • moderate comments
  • use unfiltered HTML & JavaScript in posts & pages

Administrator

Screenshot of the WordPress dashboard for a user at the administrator level

The site owner is usually the first administrator on a site and can pretty much do anything that needs to be done. This means, of course, that you want to be choosy about who else has this access since there are no restrictions on their permissions.

Capabilities:

  • same as above, plus
  • update WordPress core
  • manage plugins
  • manage dashboard
  • manage theme
  • manage users
  • imports / exports

No role for this site

Screenshot of the WordPress dashboard for a user with "no role for this site"

There may come a time when you need to delete an existing user. WordPress offers you the choice of deleting them entirely—and either deleting their posts and pages or reassigning them to another user—or assigning them “no role for this site.” The second option is especially helpful for contributors or guest posters because it allows them to keep their byline while removing their access to the dashboard.

Bonus: super administrator

While in general there are no restrictions on the permissions of an administrator, there is an exception. WordPress Multisite setups offer a sixth role: the super administrator. While each administrator is able to manage an individual site on the network, super administrators can manage all of the sites as well as the network as a whole.

  • same as above, plus
  • manage network, including network users, plugins, and themes
  • manage sites

Creating custom user roles & permissions

The default user roles are fairly straightforward, but there may be situations where you want to adjust the permissions of an individual role (for example, allowing contributors to upload photos) or add an entirely new role (such as a designer who can adjust the theme but not posts or users). There are quite a few plugins that allow you to do that.

Here are a few that meet our standards for reputable plugins:

If you’re technically inclined, WordPress also offers a guide for adjusting roles and capabilities manually.

Auditing WordPress users to keep your site secure

While the administrator role offers the largest security risk, it’s a good idea to audit all of the users on your site on a regular basis. Make this part of your regular WordPress maintenance to keep your site running well.

Make sure all users use secure passwords

WordPress has built-in security measures to ensure that users register with strong passwords. But to further protect their accounts, you also want to encourage users to use unique passwords that aren’t likely to be compromised. This isn’t as important for someone who only has read access, of course; it becomes more important the more capabilities a user has.

Be choosy about who you assign to each role

Designers, developers, virtual assistants, hosting companies—there are a variety of cases where someone may ask for administrator access. Be sure you’re only giving that access to trusted users and when it makes sense; each time you give someone access to your dashboard, you’re creating a potential vulnerability.

Downgrade user roles when not needed

Of course, you also have the option to give someone temporary access. Sometimes a trusted user simply doesn’t need access to your dashboard on an ongoing basis. You may not have concerns about what they may do with that access, but keeping extra user accounts presents additional opportunities for hackers to gain access to the dashboard. For this reason, you should downgrade or delete users who no longer need the level of access they once did.

Delete any suspicious users

By default, the primary administrator on a site receives email notifications when a new user account is created. In addition to reviewing these emails, it doesn’t hurt to periodically scan the list of users to spot any accounts that can be downgraded or deleted as well as any that may look suspicious.


Managing the user accounts on your site is an important part of your WordPress maintenance and security. But it doesn’t stop there! Looking for more security tips? Download our printable security checklist here.

Mandi Ehman

Footnotes

  1. https://developer.wordpress.org/plugins/users/roles-and-capabilities/#roles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.