From creating pages to publishing a blog to perfecting your website’s appearance and functionality with themes and plugins, there are few limits to what you can accomplish with the WordPress CMS. Things get even more complex on a team where each person has different site-related jobs.
If you have multiple people in charge of running your WordPress website and/or contributing content, you’ll need a way to control what each of these users can (and can’t) do. This is why WordPress user roles are a must. User roles help you, the webmaster, manage everyone involved in building and maintaining your WordPress website.
In this article, I’ll explain what makes up a user role, the default user roles that come with your WordPress installation, and how to create custom user roles with a WordPress plugin.
WordPress User Roles
In WordPress, a user role is a collection of allowed actions, or “capabilities,” assigned to specific WordPress users. Capabilities include lower-level permissions, like creating an account on a site or leaving a comment on a post, to higher-level ones, like modifying plugins, themes, and users.
Any WordPress site can implement user roles, but they’re most effective on sites with many contributors. User roles help you keep track of these contributors and ensure everyone stays in their own lane. This is an essential component of proper website security — users should only be able to access what they need to.
User Roles vs. User Permissions
User roles define the overall scope of user capabilities within WordPress, while user permissions refer to the individual capabilities that make up each role. For example, the only permission included in the subscriber role is the ability to create and edit a user’s accounts. The administrator role, meanwhile, has permissions to modify and edit any content on the site, change user roles, or remove user access.
WordPress comes with a number of default roles, and also allows users to edit user roles and create custom new ones with plugins. We’ll get into custom user roles soon, but let’s first cover the pre-made ones.
WordPress Default User Roles
A single-site installation of WordPress includes five default user roles: Subscriber, Contributor, Author, Editor, and Administrator. Multisite WordPress installations require a sixth pre-made role, the Super Admin.
Each default user role has the capabilities of all roles below it, plus its own added capabilities. Let’s take a look at each default role in the order of fewest to most capabilities:
WordPress Subscriber Role
The subscriber role has the least power of the default roles. Subscribers can create and edit their own password-protected accounts on your WordPress site, and that’s about it. They can’t create posts, edit existing content, or modify any of your site’s settings.
This role works well for WordPress websites that require accounts to view restricted content, like membership sites. You might also assign the subscriber role to visitors who sign up for a content offer or email list. Otherwise, your site likely won’t need this role.
Access Level: Minimal
Subscribers have the lowest level of access. They can create their own accounts but cannot modify any content on the site.
Wordpress Author vs. Contributor
Authors and contributors perform similar functions in WordPress, but with one notable difference: While both can create posts, only authors can edit, delete and publish their posts on WordPress sites.
WordPress Contributor Role
Contributors can create posts, but they can’t publish. An administrator or editor must publish their posts for them, and contributors cannot edit or delete their posts once live. They also aren’t allowed to upload images or other files to their pieces, and they can’t change any site settings.
This role works best for content creators who need closer monitoring than authors, such as one-time or infrequent writers, or creators from outside of your main content team.
Access level: Low
Contributors have more access than subscribers but their total access remains low with only the ability to create posts.
WordPress Author Role
Authors are similar to contributors, but with more autonomy. They have full control over their own content, including the ability to create, publish, edit, and delete their own posts. Unlike contributors, authors can also add files to their content, and edit comments left on their posts. However, they cannot modify or delete posts by other users, or change site settings.
This role is ideal for team members whose primary job is content creation. authors are trusted to publish their own content and change or delete it if necessary, so it’s best not to assign the role to creators outside your team or organization.
Access level: Moderate
Authors gain increased permissions including the ability to create, publish, edit and delete posts.
WordPress Editor Role
The editor role manages content produced by contributors and authors. They may create, publish, modify, or delete any post or page on your site. Editors can also fully moderate comment sections and manage tags and categories for posts. While editors have significantly more control than lower roles, they also cannot make any larger changes to your site.
Access level: Substantive
Editors can create, publish, modify or delete any page on your site and also have the permission to manage comments.
WordPress Administrator Role
Administrators are in charge of the entire WordPress website. They have complete control over the site’s content, theme, plugins, updates, and backend code. The administrator is also able to add, modify, and delete users, even other administrators.
WordPress automatically assigns the administrator role to the user who creates the website. It’s most common to have just one Administrator per website, possibly more if your business is larger.
Assigning the role to others should be done with a high level of caution — all administrators need a solid understanding of your site’s functionality, as well as WordPress security best practices. If an administrator account gets hacked, that’s bad news.
Access level: Extensive
Administrators have extensive control over site content and the roles of other users. They can also add, modify or delete code, plugins, and themes.
WordPress Super Admin Role
The super admin role only exists on WordPress multisite networks and oversees all sites within the network. Along with administrator-level permissions for each site, the super admin makes network-wide changes including adding or removing sites from the network and changing themes and plugins across sites.
Access level: Complete
Super admins take permissions one step further with complete control over WordPress multisite networks and their content.
For a full list of capabilities for each role, see the WordPress Roles and Capabilities page.
WordPress Custom User Roles
If the default WordPress options don’t quite fit the needs of your site, the administrator can modify the capabilities of existing user roles, create new roles, and delete unnecessary roles. This allows for tighter control over user permissions and a better system to match your team's structure.
How to Assign and Change User Roles
Only administrators can change user roles. This role is automatically assigned to the user who creates the WordPress site, and they in turn can assign new users the role of their choice.
To assign a role to a new user, follow these steps.
Step 1: Click on Users in your dashboard, then click +Invite. You should see this screen:
Step 2: Enter the email or WordPress.com username of the user you want to invite, select their role, and click Send Invitation.
Step 3: If you want to change user roles, simply navigate back to the Users tab, click on the user whose role you want to modify, and make the change.
Pro Tip: Once you assign the role of administrator to any user, they can modify other accounts — including yours — so choose wisely.
How to Edit an Existing User Role in WordPress
If you’re looking to edit an existing user role in WordPress, the simplest way is using a plugin, such as the User Role Editor. Here’s what that looks like in practice:Step 1: In the left panel, select Users > User Role Editor. You’ll be taken to the plugin’s main interface.
Step 2: Select the user role you want to modify from the top dropdown menu. You’ll see a list of all capabilities currently allowed for this role. Check the box next to Show capabilities in human readable form to list these functions more clearly.
Step 3: Select/deselect the capabilities you want to add to/remove from the role.
Step 4: Click Update, then Yes in the Confirm window. The list will refresh with updated permissions.
How to Create a Custom User Role in WordPress
If you want to create a custom user role in WordPress using the User Role Editor, follow these steps:
Step 1: Select Users > User Role Editor in the left panel.
Step 2: In the right-side button pane, choose Add Role.
Step 3: Create an ID and Display Role Name.
The Display Role Name is what appears for users in the WordPress dashboard. Administrators can change the Display Role Name by selecting Rename Role from the main interface.
The ID only shows in the User Role Editor plugin. It can be the same as the Display Role Name, or different for systematic labeling purposes. You cannot rename the ID once the new role is created.
Step 4: If you want to clone an existing role, select it from the Make copy of dropdown.
Step 5: Click Add Role.
Step 6: Select the capabilities you want to add to the new role.
Step 7: Click Update, then Yes in the Confirm window. The list will refresh with updated permissions.
How to Delete a User Role in WordPress
To remove a user role with the User Role Editor plugin, first, reassign new roles to all users currently under the role you want to remove. Then, navigate to Users > User Role Editor. Select the role from the top dropdown. In the right pane, choose Delete Role, then click Delete Role in the window that appears.
WordPress User Roles Plugins
Any capability can be added or removed from an existing user role. For example, you might want to prevent authors from deleting their posts once published, or allow Editors to change or modify the current theme.
To enable customization of user roles, you’ll need to use a plugin. There are a handful of plugin options built specifically for customizing roles, and many security plugins also include a feature for this purpose.
Here’s a look at five plugins to help you manage, customize and edit user roles in WordPress.
User Role Editor lets you quickly change user roles or capabilities. This plugin also makes it possible to create customized user roles. You can add new role names and assign them any permissions you prefer. You can also delete roles if they’re no longer needed — if this occurs, the user’s role will automatically default to the subscriber role. User Role Editor also offers multi-site support.
With more than 200,000 downloads and regular updates, the Members role provides a simple UI that allows you to create, customize and assign user roles. This plugin also makes it possible to assign more than one role to a single user, clone existing roles to save time, or explicitly deny capabilities to specific user roles for increased security.
In addition to creating and modifying user roles, PublishPress lets you specify what each user role sees in both Classic and Gutenberg editing screens. You can also prevent users from accessing any admin menu link or frontend menu link based on their role.
The WPFront plugin is all about easy role management on your site. Features of this plugin include the ability to create new roles, assign multiple roles, restore previous roles, migrate users and assign a new default role state for new users.
The Advanced Access Manager role provides granular control over all aspects of WordPress roles and permissions. Site administrators can manage access at the content level by defining default access for all pages, posts, custom posts, categories, and even custom taxonomies.
It’s your job as an Administrator to keep your site permissions secure, organized, and updated — not even a plugin can change that responsibility. By fitting the capabilities of each user role to match your team, you can rest assured that your users are contributing where they need to be.
Editor's note: This post was originally published in June 2020 and has been updated for comprehensiveness.
Originally published Nov 17, 2021 7:00:00 AM, updated November 17 2021