WordPress User Roles and Permissions | A Guide for 2017

If you find it hard to read the information on the WordPress Codex (official WordPress support), then this information might just be what you’re looking for. We’ve kept everything simple and created this guide to help normal people understand everything there is to know about WordPress User Roles.

WordPress user roles are key to managing what users can actively do on your website. These roles are set in place so that other users won’t have the same access you, the admin, do. You want to be able to control what different people can do and understanding the different kinds of roles available on your WordPress site will help you set up a role structure that will work for your individual needs.

As your website grows, you may have more and more users that need access to your content that is locked behind user registration. In this guide, we’ll be identifying each and every user role available on WordPress and the permissions that each role has so you can make sure you get it right.

WordPress User Roles

WordPress has information on user hierarchy when it comes to content management. Here’s a list of all 5 user roles in order of authority (lowest to highest). In general, each successive role has all of the functionality of the previous role with some extras.

  1. Subscriber
  2. Contributor
  3. Author
  4. Editor
  5. Administrator

Note that we did not include Super Admin on this list since it’s a feature that many people use since it is restricted to Multisite installations and is used mainly by very advanced users and WordPress developers.

These 5 pre-set user roles are the only default roles available on a default WordPress installation. They’re kept as basic as possible to ensure that new users would be able to easily manage them. Let's dive in to the specifics of each role.

Subscriber

The Subscriber has the lowest user access level among the 5 default user roles. The only things they can do is login, update their individual profile, and change their password. They don’t have access to post management and anything above it. One of the reasons why some admins allow subscriber accounts is to create a system where users would need to login first before reading posts.

The comment system is another way that subscribers can be used. You can require people to sign up for an account and create a profile before they can comment on your posts. This can reduce the spam quite a bit, but you may get less visitor interactions.

Contributor

The Contributors are the next in the lineup and has a little more access than subscriber roles.

Contributors can create posts and edit them as they wish but they would not be able to publish it. They are able to tag their posts but creating new categories is a ‘no-go’ for them. They also can't upload media files which can be kind of a pain. This is mostly to limit the security vulnerabilities of uploading raw images to a server.

They can also view (but not approve) comments. This allows them to get feedback on their posts and plan replies.

As you might expect from someone who is only "contributing", this role doesn't have access to any of the meta elements of your site such as plugins, themes, colors, or any other general setting that could mess with your site layout.

Author

Alright, this is where some access starts to appear. The Author user role is like an ‘upgraded’ contributor role. They are able to create and edit posts, but this time they’re also able to publish them on their own. Like the contributor role, authors are not able to create categories but are able to add new tags to the posts that they control. They also have the same access with regards to comments. Authors can only view comments, but are not able to approve or delete them.

Authors also have the ability to delete their posts once they are published. Now, this may pretty useful, but there are some risks involved. Imagine firing an author on bad terms and they end up deleting the posts that you’ve paid them to create. You CAN avoid that with the use of some plugins (see Custom Roles below).

Like contributors, authors don't have access to any of your site settings. They also cannot add themes or install plugins, so your site is still considered safe.

Editor

Just like their title suggests, Editors have the most edit access available for your content. They can add, edit, and delete posts by themselves or by others. Unlike the other user roles, they’re the ones who have access to comment approval, removal, and even editing.

Even with the amount of editing access that an editor role has, they’re still not able to modify your site settings, can’t install plugins, can't modify or add themes, and don't have the ability to add, edit, or remove users.

Administrator

Last, but definitely not the least, we have the Administrator role. This is the most powerful role in a single site installation of WordPress. They have all the editing access like the Editor role (post creation, alteration, and deletion) including comment moderation. This is the only user role that is able to alter any site settings and add users into the system.

Adding and editing user profiles might put personal information at risk. That’s why it’s recommended that only site owners should be the admin roles of their own WordPress site. If you’re working with a developer, you CAN give them an Admin role, but you can also give them a ‘custom role

Custom Roles

While this isn’t really part of the default WordPress installations that you may have, there are some ways for you to customize and create your own user roles. Like we’ve mentioned earlier, (check the Author section) you can remove parts of a user role’s access on the site.

WordPress User Role Plugins

There are a whole bunch of plugins available that could do the trick. Plugins like User Role Editor, Advanced Access Manager, Members, or Advanced Access Manager have the ability to change user roles as desired. They also allow you to create a specific role that only has a specific set of permissions.

With these plugins, you can create user roles for various purposes. If you want to create a comment moderator user role, you can add the comment moderation access and remove post creation access from them. This means they’re only able to manage comments and not the editing, publishing, and creation of posts.

If you’re the type of person that’s not always active on your site, you can also create roles to help you. A good example would be to create a role that can change the settings of your site, edit content, and manage comments. Since they’re not the site admin, they’re not allowed to add users or to delete posts on the site.

Once you’ve mastered what type of roles your site needs, everything else will fall into place. If you’re not tech-savvy, or simply don’t want to deal with complications like this, just stick to the default ones. They are sufficient for most uses anyway.

Admin vs Super Admin

Admin roles are the most powerful roles for single site installations. On multisite installations, however, the Super Admin is the one with the most access. Although it’s not really that different, there are some notable differences between the two. You can read more on this on the WordPress codex.

Summary

WordPress User Roles are the best ways to delegate tasks to users on your WordPress installation. It’s a good way to maintain order on your site when you are working with other people.

If you set up a strong permissions structure from the beginning you won't run into any surprises when your team changes or you have a malicious user. Spend a few minutes and make sure your roles and permissions are set up for your needs.

I hope this guide taught you something about user roles and make sure to check out our entire collection of WordPress Guides ​for all of your WordPress needs.