Why it’s Important to Understand WordPress User Roles and Permissions

A WordPress Administrator usually is the website owner himself. Although a site can have multiple administrators. This role can add users to the site, make changes to other profiles or even delete them. They should follow the best security practices out there to reduce the risk of the site being compromised.

An administrator is in charge of installing, editing and deleting plugins and themes. In addition, an administrator is solely responsible for WordPress security.

Tip: It’s important to know that when running a WordPress site with multiple users, you must exercise caution by assigning this role to someone who can be trusted.

One could ask – why have a super administrator on a WordPress website? Well, this is because this role is assigned to someone who can have full access to a WordPress multisite network. If you would like to learn more about this subject, we recommend checking out WordPress blogs like HostingWiki.

Besides performing a network-wide role similar to any site administrator, a super administrator can add, delete, activate, edit or archive multiple sites on a network, manage all users across it, upgrade the WordPress core for the entire network, control plugins and themes for all sites, and even ban domains.

In a nutshell, a super administrator acts similarly to a regular administrator but is only available when using a multisite network.

It’s important to note, that when a WordPress super administrator role is enabled, regular administrators can no longer delete plugins, but they can activate or deactivate them on the site they manage.

The WordPress editor role allows full authority over the content section of the website.  The editor has the right to edit, publish and delete posts. These actions can be performed on any author’s content. The editor also has the ability to moderate comments.

While this user role has free reign over content, it cannot change the site structure itself – that means an editor cannot manage themes, plugins and the WordPress core. A WordPress editor is normally responsible for managing and overseeing multiple authors and their work.

A WordPress author has more limited permissions compared to an editor. A user in this role can create his own posts with permission to write, edit and publish their own content. They can also delete their posts after publishing them. Lastly, they have the ability to select in which site category their content is placed. Unlike an editor, they cannot manage content posted by other roles. An author can also manage comments left on their posts.

The author role is perfect for frequent contributors and collaborators.

A WordPress contributor can add and edit posts but cannot publish them. Much like an author, a contributor may choose from an existing category but can’t create his own. Not unlike an author, a contributor can view comments but can’t approve or delete them.

This role is a perfect option for any one time contributors that are collaborating with your blog or are writing a guest post. Alternatively, it’s a perfect role for anyone who is on a trial period as an author for your site.

A WordPress Subscriber can log into the site, update and change his password but cannot perform other activities such as writing or publishing posts through the dashboard. They will be able to view the dashboard, but will not be able to edit any of the site’s features.

This role is typically used in combination with subscription or membership plugins, like MemberPress, offering visitors a convenient way to view subscriber-only content.

Let’s cover some essential practices that will help you get the most out of WordPress user roles. Remember – poor role management can lead to security flaws. Additionally, we’ll highlight some tips that will help oversee a large number of users.

There are some great plugins that can improve how you manage user roles. Take the Capability Manager Enhanced plugin for example. With it, you can create additional roles, capabilities, copy roles across a multisite network and much more!

Log Out Inactive Users

Accidents happen – one of your administrators or editors might use a public computer to access your site’s dashboard. If they forget to log out, it and someone else were to come across the computer, you might be in trouble. Additionally, any other idle user account can serve as an extra access point for bad actors. Remember to check the WordPress Users section regularly.

Assign User Roles Sparingly

Take the time to consider if you really need the extra administrator or editor for your site. Be sure to always ask yourself “Will this person need access to the plugin area?”, “Can I trust him to effectively manage my site’s content?” Answering these questions before assigning user roles can save you a lot of trouble later down the line.