WordPress enables you to assign a user role for every account. As the site owner, your role is that of the administrator. Other users will have roles with fewer permissions, such as contributor, subscriber, or even author. Understanding the differences between these roles and what they can do is essential for your site’s security.
Every user role has a different set of permissions. WordPress enables you to assign specific roles to users, so you can decide who has permission to do what on your site. With the right tools, you can even modify the default user roles in WordPress.
In this article, we’ll talk more about how the WordPress user role system works. We’ll go over each existing role and show you how to assign and edit roles. Let’s get to it!
WordPress User Roles Explained
User roles are typically present in software that features a user management system. WordPress lets users register on your site and enables you (the administrator) to assign a role to each of them.
WordPress user roles determine what you can do within the Content Management System (CMS). Different roles have unique sets of user permissions depending on their responsibilities.
Here are the five default user roles that ship with WordPress:
- Administrator. In WordPress, the administrator role has access to the full suite of features the CMS offers. They can make any changes they want to the site.
- Editor. A user with the editor role can publish posts from their account and manage content posted by others.
- Author. An author can only publish their own posts. They can’t access posts by other authors to edit them.
- Contributor. This user role can write posts and save them as drafts, but they can’t publish them. They need an editor or an administrator to do this for them.
- Subscriber. The subscriber role can only access their account settings but they can’t publish or edit content.
The default WordPress user roles are centered around blogging. However, there are plenty of plugins that add custom user roles to WordPress. These roles have unique sets of permissions and make it easier to manage sites alongside a team.
Although WordPress enables you to change assigned roles, it doesn’t include options to customize their permissions. To do this, you’ll need to use either a plugin or custom code.
How to Manage WordPress User Roles
In this section, we’ll go over the basics of managing user roles in WordPress using default options. We’ll also show you how to customize existing user roles using a plugin. Let’s get to it!
1. Add New Users and Assign them Roles
WordPress enables you to create new user accounts and assign roles to each. To do this, go to Users > Add New User in the dashboard and fill out the required information:
To create a new user account, you’ll need to set a username, email address, and password. This screen also enables you to set a user role for the new account:
The available roles may vary if you use plugins that add custom options to WordPress. After you select a user role, click on Add New User and the account will become active.
2. Change the Default WordPress User Roles
If your website supports registration, it can be smart to change the default user roles that are automatically assigned by WordPress. The default role, in most cases, is set to subscriber.
The subscriber user role can be useful for blogs with comment sections and similar types of sites. However, for other types of projects, you may want to set up a different role.
To change the default user role, go to Settings > General in the dashboard. Look for the option that says New User Default Role and select the dropdown menu next to it:
When you decide what role to assign, click on Save Changes. This setting will apply to all new users except those you add manually (see the previous section).
3. Customize Permissions for WordPress User Roles
WordPress doesn’t include built-in options for editing user role permissions. If you want to customize the existing user roles in WordPress, you’ll need to use a plugin.
There are several plugins you can use to customize WordPress user roles. For example, User Role Editor enables you to customize user roles and create custom ones:
To get started, install and activate the plugin. Then, navigate to the Users > User Role Editor page in the WordPress dashboard.
Here, you’ll see a dropdown menu at the top of the screen where you can select which existing user role to modify. Below that menu, there’s a list of permissions for actions on the site:
That list contains dozens of actions, including options such as uploading and deleting plugins and themes, deleting posts and pages, viewing site health information, and more.
You can use that list to pick and choose which user role gets access to which permissions in WordPress. The user role editor enables you to customize all roles except for the administrator role, which is granted all permissions by default.
Additionally, the plugin lets you create custom WordPress user roles. To do this, click on the Add Role button on the Users > User Role Editor page.
This will open a window where you can set the ID for the new user role and a display name. You can also choose to select an existing role and copy its user capabilities or permissions:
Once you add a new role to the WordPress site, you’ll be able to edit its permissions just as with any other role. You can also reassign any existing users to it.
Best Practices for Managing WordPress User Roles
When dealing with other users and their assigned roles, it’s important to keep some basic best practices in mind. Here’s how to avoid issues when assigning or editing user roles:
- Use the principle of least privilege. This principle states that no user should have more permissions than they need to fulfill their assigned tasks. Authors, for example, shouldn’t be able to delete posts created by others or moderate comments.
- Review user roles periodically. We recommend reviewing user roles periodically to check if any users have more permissions than they need. You’ll also want to check the capabilities for each role (with the User Role Editor plugin) to see if there are permissions that should be revoked.
- Delete users if they’re inactive. Over time, some of your users might become inactive. It’s smart to prune inactive user accounts from time to time since it prevents attackers from exploiting them.
Overall, managing user roles in WordPress can be relatively straightforward. You can limit the number of user roles to keep site management simple. Aside from that, you’ll want to make sure that no user roles have more permissions than they need to perform their assigned tasks.
Conclusion
User roles are essential if you want to give other people access to your site. Assigning a role based on the permissions that users need reduces the chances of them being able to affect the site negatively. For example, authors and editors can’t install, uninstall, or modify plugins in any way. That’s something only the administrator can do.
Understanding the user role system is key to securing your WordPress website. But you’ll also want to choose a secure and reliable hosting provider. NameHero offers you real-time virus scanning and a Web Application Firewall (WAF) with all its WordPress plans.
If you want to keep your website safe, managed hosting can be your best option. All of our WordPress plans offer managed services (including WooCommerce options) and free migrations from other hosting providers. Take a look at our WordPress hosting plans!
Sophia is a staff writer at WordCandy.co, where she produces quality blog content for WordPress plugin and theme developers, hosting providers, website development and design agencies, and other online businesses.
Leave a Reply