How do you control WordPress user permissions

Beginner's Guide to WordPress User Roles and Permissions

If you're the only person running your website, you've probably never had to think about WordPress user roles. However, if you ever need to give other people access to your WordPress site, WordPress user roles are essential to control what actions the various users are allowed to take on your website.

The intelligent application of WordPress user roles ensures that nobody has more “performance” than they need. This helps to make your website more secure and to optimize your work processes.

In this guide, we explain what WordPress user roles are and why they are important. We will then guide you through the individual standard roles before giving you some tips on how to use them effectively.

What WordPress user roles are and why are they important

WordPress user roles define which actions each user is allowed to perform on their website. These actions are also known as functions. For example, the ability to publish a WordPress post is one "skill" while the ability to install a new plugin is another "skill".

At a simple level, user roles are just a collection of different actions (so-called functions) that a user is allowed to carry out with his role.

WordPress user roles are important because they:

  • Help keep their WordPress site secure by making sure users don't have access to things they shouldn't. For example, you don't want an untrustworthy user to be able to install new plugins on your website.
  • Can help you define your work processes. For example, WordPress has pre-built user roles that you can apply to authors of their website to only give them access to the functions they need to write WordPress posts.

The six standard WordPress user roles

WordPress comes with six different user roles by default. Understanding each element is critical if you want to protect your website and ensure that your team can work effectively. Let's look at each of these roles in turn.

We'll also show you what the WordPress dashboard looks like from each role's perspective.

When you install WordPress, five standard user roles are immediately available:

  1. Administrator (Admin)
  2. Editor
  3. author
  4. Employee (Contributor)
  5. subscriber

The 6th role of super admin is only visible if you operate a multisite WordPress site.

First, let's look at each standard user role and its permissions.

With a regular WordPress installation, the administrator has the most powerful user role. Users with the administrator role can add new posts, edit posts by users on the website, and even delete these posts.

You can install, edit and delete plugins and themes. Most importantly, an administrator user can add new users to the page, change information about existing users including their passwords, and delete any user (yes, other administrators as well).

This role is basically reserved for website owners and gives you full control over your WordPress site. When running a WordPress site for multiple users, you need to be very careful about who you assign an administrator user role to.

Users with the editor role in WordPress have full control over the content areas of their website. You can add, edit, publish and delete all posts on a WordPress site, including posts written by other users. An employee can also moderate, edit, and delete comments.

Editors do not have access to change their website settings, install plugins and themes, or add new users.

As the name suggests, the author role allows users to write, edit, and publish their own posts. You can also delete your own posts even if they are published.

When writing articles, authors cannot create categories, but they can choose from existing categories. On the other hand, they can add tags to their posts.

Authors can view comments even if they are pending review. However, you cannot moderate, approve, or delete comments.

You have no access to settings, plugins or themes. Hence, it is a relatively low risk user role on a webpage other than their ability to delete their own posts after they are posted.

Employees with the Contributor role can add new posts and edit their own posts, but they cannot post posts, including their own. When writing posts, they cannot create new categories and have to choose from existing categories. However, you can add tags to your posts.

The biggest downside to being a collaborator is that they can't upload files (i.e., they can't add images to their own item).

Contributors can view comments even while waiting for moderation. However, you cannot approve or delete comments.

They don't have access to any settings, plugins or themes, so they can't change any settings on their site.

Users with the subscriber user role can log in to their WordPress site and update their user profiles. You can change your passwords if you want. You cannot write posts, view comments or perform other actions in your WordPress administration area.

This user role is especially useful when users need to log in before they can read a post or leave a comment.

This role only applies to multisite installations - networks of connected WordPress sites. The super administrator is responsible for the entire network and can make general changes such as: B. adding and deleting web pages. You can also manage the network's users, themes, plugins, and more. Therefore, the dashboard is similar to a normal administrator.

If there is a super administrator, the regular administrator role is changed slightly. For example, regular administrators in WordPress multisite networks can no longer install, upload and delete themes and plugins or change user information. These functions are reserved for the super administrator.

As an example of how these roles interact, the super administrator can decide which plugins to install on the network, and individual site administrators can only choose whether or not to enable them.

If you want a deeper, but less beginner-friendly summary of the functions of the individual WordPress user roles, we recommend that you use the table “Capability vs. role“In the WordPress Codex. It contains the specific actions that each standard user role can take on their website.

It is important to understand the different user roles, but also to know how to use them properly.

Each page is a little different, but here are some tips on how to get the most out of this feature:

  • Give each user only the level of access they need. This is the key to security so that no one can make unauthorized changes or accidentally delete content.
  • Keep the number of user roles limited above. A firm rule of thumb is to use an administrator and a few trusted editors. The author role can be assigned to regular content creators who have proven themselves, and new or one-time authors can simply be assigned the collaborative role.
  • Try to customize your user roles using plugins. The standard system is effective, but you can benefit from a plugin to improve its functionality. User role plugins allow you to create your own special roles, modify the existing ones, and much more. We recommend starting with the aptly named user role editor.

And always remember - when in doubt, it is better to assign too few permissions than too many.

Standard WordPress user roles provide features that meet the needs of most websites. For example, if you run a magazine page, you can assign the user role of editor to your senior staff and the user role of author to junior staff. You can assign a contributor user role to your guest authors and a subscriber user role to your website visitors.

But what if you want to change the permissions of an existing WordPress user role?

For example, suppose you want to change the author's user role so that authors cannot delete their posts once they are published. Or you have a multi-level member access for premium articles on your website. As almost always, WordPress plugins help here, with which you can set the user rights individually for each type of user:

With the PublishPress Capabilities plugin, you have control over all permissions on your WordPress site. You can customize all user roles on your side, from administrators and editors to authors, employees, subscribers and custom roles.

You can also easily change user roles and functions with the WordPress plugin User Role Editor. Simply check the boxes of the features you want to add to the selected role and click the Update button to save your changes.

The key to managing an effective team is clearly defining the roles and responsibilities of each person. Fortunately, WordPress offers a built-in way to do this. By carefully using WordPress user roles, you can improve the security and efficiency of your website.

Once you understand the five (sometimes six) basic user roles in WordPress and what each is capable of, you can then use a few simple techniques to make use of this feature.

For example, consider keeping your pool of top-level users small, assigning only the necessary permissions, and using plugins to customize their roles.