WordPress user roles are created to provide a site owner with security through the ability to dictate what other users can and cannot do throughout their site. Through the determined roles, a site owner can manage user access to tasks such as:
- Writing and editing posts
- Creating Pages
- Creating categories
- Moderating and responding to comments
- Managing plugins and themes
- Changing or editing other user roles
WordPress main Roles
WordPress has six predefined roles as follows:
- Super Admin: A Super Admin is a user with access to all multisite network administration features.
- Administrator: An Administrator is a user who has access to all of the administration features within a single website.
- Editor: An Editor is a user who is able to publish and manage posts, including those created by other users.
- Author: An Author is a user who is able to write and manage only their own posts.
- Contributor: A Contributor is a user who can write and manage their own posts, but cannot publish it themselves.
- Subscriber: A subscriber is a user who only has access to managing their own profile (updating user profiles, changing their password).
These are the six main roles in WordPress, and the tasks each one is able to perform are called Capabilities. The Capabilities in these cases would include tasks such as “publish_posts” and “moderate_comments”. While the Capabilities assigned to each role is predetermined, they can be edited.
Custom roles and capabilities
- Add new roles
- Customize capabilities for any given role
- Change the automatic role assigned for new users
- Assign multiple roles to one user
- Remove unnecessary capabilities
It’s possible to add custom capabilities to any role. Under the default WordPress admin, they would have no effect, but they can be used for custom admin screens and areas(such as metaboxes) and front-end output created by plugins and themes.
General principles for user roles
There are general principles a site owner should follow in terms of how to grant the right or appropriate role to any person. A good way to look at it is that the roles should match what the site owner believes are the website responsibilities of a given user.
- Always provide the least privileges: WordPress recommends a principle of “least privileges”, wherein a user is given only the privileges (access) that is essential to them performing the desired tasks. Limiting access for users is an important way to protect your website’s security.
- Customize first, upgrade later: Some users may require just an additional privilege to perform tasks effectively. In this case, rather than upgrading them to a higher privilege role, add capabilities to their specific role, or create a custom role so that the added capabilities are only applicable to the user in question, rather than all users who fall under that specific role.
- Limit capabilities that are not essential: If you opt to upgrade a user’s role, make sure to be aware of all the new capabilities allowed within the new role, and remove/edit any that are not absolutely necessary for that user to have access to.
- Limit higher-privilege roles: It is better to limit the roles that have more privileges, such as Administrator or Editor. If you have a user who’s only responsible for writing posts, instead of upgrading them to an Author or Editor—which are roles that include the ability to publish posts or edit other posts, simply grant them Contributor permissions, with an assigned Editor responsible for publishing their posts.