WordPress Users Roles

In a typical WordPress installation one can find a good number of users. Bloggers typically create new users on their blog to allow third party contributors to add blog posts, edit them, delete posts and to even activate or deactivate a plugin. These tasks are called Capabilities. However, many website owners do not wish to provide the same capabilities to all of their WordPress website users. In this article we will explain what capabilities each user role has.

For instance, an owner might want to assign capabilities to a user that can read, edit and delete posts but at the same time the user should not be able to install or uninstall any WordPress plugins. Most of the times bloggers are not using the built in WordPress user roles, thus most of the time their users have insufficient capabilities, or even worse, too many capabilities.

This can be potentially dangerous since having an account with full privileges on a WordPress installation exposes it to the trust of a particular user. But trust is not enough and providing a set of capabilities to users that you do not completely trust might put your website in danger. WordPress provides different types of User Roles which allows the owner of a WordPress website to assign any user to a particular Role. These Roles have different account capabilities with specific functions. By assigning a restricted number of capabilities to users, instead of Administrator privileges makes your website less prone to attacks. It is also of good practice that irrelevant of the role a user is assigned to, each and every user should have a very strong password.

By default there are five WordPress Roles; Administrator, Editor, Author, Contributor and Subscriber. Each one of these roles has different capabilities providing very helpful user management functionality. In the following lines a brief description of each role will be given along with the full capabilities of each one.

The Administrator role has all the possible capabilities in a WordPress website. An Administrator can read, modify or delete, any posts, links and pages. The administrator can also install and uninstall Plugins, register new users. Basically the administrator has full control or a WordPress website or blog. For that reason, it is recommended to have only one Administrator account in a WordPress website. (If you are using WordPress Multisite this role is called super Admin who has more capabilities from a single WordPress Administrator, since it has network administration capabilities to control the entire WordPress Multisite network.).

An Editor can manage and publish posts and pages either personal or of other users. Thus an Editor has the capabilities of managing the posts and pages of all the users in a WordPress website in contrast with the Author, who can publish and manage his own posts and pages only.

The Contributor can write and manage posts but cannot publish them.

The Subscriber has the capability to manage his profile and read blog posts only.

Below is a complete list of the Capabilities of all the roles of a WordPress website (source http://codex.wordpress.org/Roles_and_Capabilities).

[table id=9 /]

As we have seen, Roles and Capabilities provide a user management functionality with which an owner can easily control and manage all users in a WordPress website and their particular Roles. It is very important that such roles are and used to beef up the security of your website.

Share this post
  • I’m still unsure of what type of user to assign someone that I would like to be able to write an article…?

    If a contributor can only `read’, `edit’, `delete’ but not publish – do they merely save as draft when they’re finished?

  • Hi Deon Fialkov

    A Contributor can write a post but he cannot submit it. He can submit it for review and a user with appropriate (higher) privileges can review and eventually publish it. You can set the user as Author who can publish and manage his own posts and pages only.

    Thank You

    ———

    Stay tuned with the latest news and updates by subscribing to our WebsiteDefender Facebook account http://www.facebook.com/WebsiteDefender or follow us on Twitter http://twitter.com/websitedefender .

    Remember, stay secure!

  • Leave a Reply

    Your email address will not be published.