All You Need to Know On WordPress User Roles And Capabilities To Manage Them Wisely
Table of Contents
As WordPress has grown in popularity, application, and complexity, we have all discovered something very important, making everyone an administrator isn’t a winning strategy. Thankfully WordPress provides us with a very powerful tool called User Roles and Capabilities that helps us give people just the capabilities they need without giving them too much or too little. This helps us keep our sites secure.
In this article we will talk about:
- What WordPress user roles are
- What different roles come with WordPress
- How to assign roles to your WordPress users
- How to create custom roles in WordPress to meet your specific needs
- Security consideration with user roles
What Are WordPress User Roles
As sites become bigger and more complex it takes more people to manage and maintain them.
Yes, sites still need:
- Authors to write new content that makes people’s lives better.
- Editors to fix all the mistakes in the authors contents
- Administrators to keep everything upgraded and working smoothly
- Contributors to assist editors in editing posts
- Subscribers who may or may not have paid us money but they have at least registered with us and given us an email address. (that’s worth something right there)
But these days sites also need:
- Warehouse staff to log in, print labels, and ship products.
- Accounting staff to make sure we collect all the money that is owed to us.
- Social Media managers who can see behind the scenes, but not necessarily change things.
- Community Members who have paid a premium subscription to access the really good stuff the authors are writing and editors are editing
- And of course…premium community members who can log in and access the really REALLY good stuff we save for those special few who see our vision and subscribe at the premium level.
The list of needed WordPress user roles is endless. It changes with every site because each site’s needs are different.
The Main Types of WordPress User Roles And Their Capabilities
A WordPress User Role is a collection of capabilities. A capability is a permission to do something. The standard WordPress install comes with around 40 capabilities, as well as with 6 user roles by default, ordered by level of power over those capabilities:
The default administrator role (not to be confused with the administrator account…that you should not have on your site. If you do have one, stop and watch this video) has all of the standard capabilities.
What can a WordPress administrator do?
In a regular WordPress site, there is nothing that the administrator role cannot do, such as:
- Create or delete users & manage their permissions
- Customize WP dashboard
- Update the WP core, themes and plugins
- Edit and manage posts and categories
- Upload files
- Moderate comments
- …and a lot more.
Who should get the Administrator role?
The administrator role should be reserved for the person that is responsible for the technical aspects of the site. If you don’t manage the security of the site, update plugins, and handle problems, you probably don’t need to be an administrator.
For safety sake, I always create a separate account that I use on my sites as the administrator. My normal account – the one I use to post content and manage users – is an editor. Therefore, I have to make a conscious decision to log in to do administrator things.
My administrator level accounts all have Two Factor Authentication enabled (see below) and have very strong passwords.
Things get a little more complicated if you are running a WordPress Multisite, because the admins user capabilities are limited for these types of sites. For this, there is a bonus WordPress user role in WordPress, the Super-Admin role.
The editor manages things. The account I normally log into my sites with is an editor. I can do everything except manage plugins, themes, and other technical things that require some serious thought before doing. Having my day-to-day account be an editor keeps me from accidentally disabling or deleting a plugin or theme.
Who should get the Editor role?
Anyone who is managing things on your site (content, users, etc.) is a candidate for being an editor.
Don’t be fooled by the role name, editor is still a very powerful role and in the wrong hands can cause serious damage to your site. Seriously consider enabling Two Factor Authentication on editors and enforcing strong passwords to keep these accounts safe.
Next is the author role. The author role is a much more limited role. Out of the box, basically an author can: upload files and create, edit, publish or delete his own posts.
Who should get the Author role?
The author role is great for guest posters on a blog or regular authors whose only function is to write and edit content.
A subscriber is a guest that has registered with your site. They have no capabilities other than to be able to read content and edit their information.
Some sites have content that is not visible to users unless they register. The subscriber is a good role to use for that. You will need a plugin to be able to hide content from users who are not of a given role or higher, but those are easy to find in the WordPress Plugin Repository.
Many plugins you install like WooCommerce will add new roles and new capabilities to WordPress automatically. For instance, When you install WooCommerce, it adds the role “Customer”. A Customer has certain capabilities that mainly deal with them being able to view and change their own data, view their roles, etc. People are moved into the “Customer” role when they purchase something and set up an account on your site.
How to Assign WordPress User Roles to Your Site Users
WordPress does not come with a built in-role and capability editor (more on that below). You can however assign your users to different roles. There are two ways to do that with a standard WordPress install.
For each user on your site, you can bring them up in the User Editor and select the role you want them to have.
In the above screenshot, I have selected Subscriber for my site member Bob the Builder. You can assign – and re-assign – roles as often as you like.
Using an account with the role of Administrator, you can go into the WordPress Admin Dashboard and select Settings > General. There you will find a drop down that allows you to decide what role users will be assigned automatically when they register with your site. This defaults to “Subscriber” but you can set it to any role you like.
How to Manage and Edit WordPress User Roles and Their Capabilities
As I said, almost all of the capabilities are reserved for the administrator, that doesn’t mean you can’t change things around. There are times when you may want your contributors to be able to moderate comments, a capability usually reserved for Editors. WordPress is flexible enough to allow you to move capabilities around and even create new roles.
Out of the box, there is no good way to look at what roles and capabilities are set up in WordPress nor create new ones. If you are a programmer, you can of course write code to show them to you and even write code that will create new ones. Where’s the fun in that though?
Like everything in WordPress, the easy way to manage roles and capabilities is to install a plugin. Also, like everything in WordPress, there are a lot of good plugins to choose from that will help you see, manage, and create user roles and capabilities.
Because there are so many plugins out there, I can’t tell you which one is best. I can, however, tell you which one I use. I use User Role Editor by Vladimir Garagulya and have for a while now.
The biggest reason I chose this particular plugin is that it does the job. The second biggest reason I chose it was because it’s free and I am cheap. When I say free, I mean that I use the free version. Vladimir has several options out there for those who want the advanced features and this code is well worth the money.
How to Manage WordPress User Roles With User Role Editor
After installing User Role Editor, you will probably notice that it didn’t add yet another menu item to your left sidebar. Instead, it adds a sub-menu item to the “Users” menu, “User Role Editor”.
Click on that and you get a complete list of all the capabilities currently in use on your system.
On the right side of the list are a series of buttons that allow you to add new roles and capabilities.
The screen layout can be a little confusing at first. However, once you begin to poke around and see how things are laid out, you begin to get the feel for it.
As you can see, if you select the “Administrator” role in the dropdown at the top of the screen, it shows you all the capabilities that the Administrator role has access to. (Hint: All of them)
The tree on the left is how the capabilities are broken down and organized. This way you don’t have to scroll through the entire list to find that one you want to turn on or off.
To use the example I used above, if I want my contributors to be able to moderate comments, the first thing I do is select “Contributor” from the list of roles.
Once selected, I see that almost all of the checkboxes disappear. On the tree on the left, each category gives me 2 numbers, the number of capabilities in that category and the number of capabilities this role has in that category. In the case of “Contributor” most of the second number are 0.
Using the tree on the left, we can select “Posts” to find the moderate comments capabilities.
To grant our contributors the ability to moderate comments we just check the box and click “Update” on the right.
That’s all there is to it. Now any person who logs in and is a “Contributor” will have the ability to moderate comments on posts.
That gives you a feel for how easy it is to manage existing user roles and capabilities.
How to Create New WordPress User Roles and Capabilities With User Role Editor
What about new Roles and Capabilities? Are those as easy? Yes, they are.
On the right, click “Add Role” and follow the prompts.
If your new role is similar to an existing role, it even gives you the ability to clone an existing role to save time. Then you can simply change the capabilities of your new role to suit your needs.
New Capabilities on the other hand are a little more difficult. Yes, you can define them in the interface but unless there is code written to use the new capabilities they won’t have any effect. Before you start adding capabilities, talk to your programmer.
WordPress User Roles Security
So as you’ve seen it’s really easy to add new roles and customize them to fit your needs. Just because it’s easy though doesn’t mean you should add a bunch of them willy-nilly. Before you start, sit down and decide why a new role is necessary. What will this new role be able to do or not do that is different from existing roles. The more roles you add, the more you have to manage.
Apply The Principle of Least Privilege
Once you have decided to add a new role into your system make sure you adhere to the Principle of Least Privilege. When creating roles, less is more. Only give your new roles the minimum capabilities they need to fulfil their role. If you are setting up an accounting role, don’t give them the capability to Delete Posts. Stick with the minimum, you can always add later if you need to.
Implement Two Factor Authentication (2FA)
For every new role you setup that has significant permissions, make sure you setup and enforce Two Factor Authentication for those roles.
If the Administrator role is the only significantly powerful role you have, then the SiteGround Security Plugin is a great option. It makes setting up 2FA for the Admin Role very simple. Here is a demo on how it works.
If you have other roles that have significant power or can see Personally Identifiable Information (PII) for other users, make sure they have 2FA enforced as well. There are several good (free) 2FA plugins out there that can help you do that.
WordPress has a power user role and capability system that is flexible enough to meet almost any site’s needs. Like any powerful tool though, you can do damage to your site. You can lock users out of capabilities they need to access the site or give users the power to do bad things.
Before you start, stop, think, and then act. That is the winning strategy for managing user roles and capabilities in WordPress.