WordPress makes it easy for site owners and webmasters to run a highly functional website. To get the most of your WordPress site, you’ll probably want to have other people help you out.
You might want to give a third-party contractor the ability to publish blog posts or maybe hire a developer to help you create new pages. But giving others full access to your WordPress site can be frightening and pose a potential security risk.
That’s where WordPress roles come into play. Roles give website owners full control over what users can or cannot do on the site.
With WordPress roles, you won’t have to worry as much about users doing something on your site that they’re not supposed to.
What are WordPress Roles?
WordPress roles and capabilities allow site owners to control who has access to what parts of a site on the backend. Out-of-the-box, there are five default WordPress user roles—administrator, editor, author, contributor, subscriber.
Each user has uniquely defined capabilities, such as writing and editing a post, publishing a post, creating users, moderate comments, installing plugins, deleting a theme, and more. In total, there are 70+ hardcoded capabilities built into WordPress for different users.
The main purpose of WordPress roles is to restrict access. For example, you probably wouldn’t want to give a part-time blogger the ability to delete your site’s theme or install a new plugin.
5 Tools to Improve WordPress Roles
While WordPress comes with the ability to manage user roles out-of-the-box, there are some third-party plugins out there that take this functionality to the next level. These are my five favorite tools for managing WordPress roles.
#1 — PublishPress Capabilities
With over 100,000 active installations, PublishPress Capabilities is another popular way to manage WordPress roles. This plugin is perfect for anyone who wants to have more control over the way user roles and capabilities on their WordPress site are handled.
You can fully customize the roles of editors, authors, administrators, contributors, and subscribers, so each role has exactly what you need. Easily modify an existing role or create completely new roles. All of the roles within PublishPress Capabilities work for single sites and multisite WordPress networks as well.
I like PublishPress Capabilities because it automatically backs up your website’s permissions whenever a change gets made to a role or capability. So, if anything happens to your website, you can restore those permissions with ease instead of doing everything again manually. These backups are also extremely useful if you decide to migrate your user roles and capabilities from one site to another.
PublishPress Capabilities makes it easy to customize permissions, copy roles, add extra permissions to the taxonomy of your site, create permissions for custom statues, and so much more.
The basic version of this plugin is free to use. Paid plans start at $69 per year and come with access to six other PublishPress plugins.
#2 — Members
Members by MemberPress is a WordPress plugin that’s built specifically for managing user roles. With 200,000+ active installations, it’s one of the most popular solutions in this category.
This is arguably the easiest way to manage user role permissions within WordPress, too. The default role options within WordPress aren’t so user-friendly, especially for non-technical admins.
But the Members plugin simplifies role management with a straightforward UI that’s easy to navigate. You’ll be able to add roles and change capabilities for users with just a few clicks.
The plugin comes with an extensive list of functionalities for basic and advanced users alike.
For example, you’ll have the option to perform basic tasks, like creating a new user, editing a user, deleting roles, and adding capabilities for roles. But it also comes with more advanced functions, allowing you to assign multiple roles to any user.
You can also clone roles, create content permissions, restrict certain content, decide who has access to shortcodes, and more.
The basic Members plugin is free to download and use. You’ll also have access to free add-ons like block permissions, admin access, role levels, role hierarchy, and more. The plugin even integrates with third-party tools like Easy Digital Downloads and WooCommerce.
#3 — User Submitted Posts
The User Submitted Posts plugin for WordPress is a bit unique compared to some of the other tools in this guide. Technically, it’s not used to manage WordPress roles. But the plugin essentially provides you with a similar benefit when you want to give users the least amount of access to your site.
That’s because User Submitted Posts is a frontend solution—meaning site contributors won’t have access to your WordPress dashboard. But verified users can still publish content on your website.
This is perfect for WordPress sites that publish content from a wide range of different freelancers or users outside of the company. Instead of giving those people WordPress login credentials for the backend of your WordPress site, you can just install the User Submitted Posts plugin as a safer alternative.
This workaround for publishing is still fast and easy for the end-users. The plugin features a simple registration, login, and password form. You can display the login forms anywhere on your site using a simple shortcode or template tag. You’ll also benefit from shortcodes for access control and restricted content.
Other noteworthy highlights of User Submitted Posts include email notifications for new submissions, image preview thumbnails, Google reCAPTCHA for forms, built-in client side verification, action and filter hooks for advanced customization, and so much more.
User Submitted Posts is the perfect way to add user-generated content to your site without having to create new WordPress roles.
#4 — Advanced Access Manager
Advanced Access Manager is a powerful and versatile WordPress plugin with 100,000+ active installations. I like Advanced Access Manager because it is built to help WordPress admins customize and control every component of their WordPress sites. User roles are just one of the many aspects that can be managed using this plugin.
Regardless of the use case, Advanced Access Manager is primarily built around access and security policies. You’ll define who, when, and how users can access specific resources on your WordPress site. Access control can be maintained on the backend and frontend of your site as well.
The backend menu access control feature is arguably the plugin’s most popular tool. This allows you to customize access for any user or role. You’ll also have the ability to customize all roles or capabilities from a user-friendly dashboard.
Use Advanced Access Manager to create temporary accounts, limit content access, manage temporary users, restrict backend functionality, manage access based on IP address or referred domain, and so much more. Advanced Access Manager is free for basic use.
Paid plans for role hierarchy and multi-level groups start at $39. Most sites go with the enterprise package. For $399 per year, you’ll have access to the full suite of all premium add-ons.
#5 — User Role Editor
The User Role Editor plugin for WordPress has a pretty self-explanatory name. As implied, it’s a simple solution that gives you the ability to manage user roles and capabilities.
Using the tool is as easy as clicking checkboxes to customize roles and capabilities according to your personal preferences. If you’re not happy with the built-in role management tools within WordPress, User Role Editor is an upgrade that can accommodate your needs.
There’s a free version of the plugin for basic role management and capabilities customization.
But the Pro version is designed for anyone who really wants to get the most out of managing user roles. You’ll benefit from additional features like frontend menus, per plugin access for user roles, the ability to block meta boxes and navigation menus, manage widgets, and more.
The Pro version also supports WordPress multi-sites with a super admin. The Pro Personal plan starts at $29 per year for a single installation. Lifetime access starts at $87 for a one-time purchase.
The Basics of WordPress Roles
Let’s take a closer look at the core components of WordPress roles. This will give you a better understanding of the capabilities associated with default user roles.
Administrator
Admins have the most powerful role. They can add new posts, edit posts, and even delete posts created by other users. Users with administrative access can edit, install, and delete plugins and themes. An admin can add new users, delete users, and change information about other users (including other admins).
The administrative role is essentially created for the site owner. Anyone with admin access will have full control over the WordPress site. So be cautious if and when you assign this role.
Editor
Editors can access and control the content portions of your WordPress site. They have the capability to add posts, edit posts, publish posts, and delete posts on the site, regardless of who wrote the post. Editors also have the ability to edit, delete, and moderate comments on your website.
By default, an editor cannot install plugins, change your theme, add a new user, or change your WordPress site settings.
Author
As the name implies, authors can create, edit, and publish posts on WordPress. They also have the ability to delete published posts, assuming the post was written by that author.
It’s worth noting that authors only can select an existing category when they’re publishing a new post—they cannot create a new category. However, an author does have the ability to add tags to their posts.
While an author can view comments and see comments pending review, they cannot manage those comments. Authors won’t have access to plugins, themes, or site settings either. Overall, this role grants fairly low-access to the WordPress site.
Contributor
Contributors are similar to authors but have even less access. While a contributor can add new posts and edit posts that they wrote, this role does not grant access to publishing content.
A contributor won’t have the ability to upload files to WordPress either. So anyone with that role cannot add images to posts that they wrote.
Subscriber
Subscribers are the least powerful WordPress users. They can log in to your WordPress website and update their own profiles on the frontend. But they can’t write posts or do anything within your WordPress admin dashboard.
The subscriber role is perfect for sites that require users to login before reading posts or commenting on posts. But beyond that, they won’t have access to other permissions.
3 Tricks For WordPress Roles
Here are a few quick tips and best practices that you can apply to your WordPress site. These tricks will make it easier for you to understand and manage WordPress roles.
Trick #1: Super Admin For WordPress Multisite
If you’re running multiple sites from the same WordPress installation, make sure you take advantage of the super admin role. This is only available on WordPress multisite networks.
Super admins can add sites, delete sites, install plugins, manage themes, and basically manage all network-wide actions in WordPress. It’s the most powerful role in WordPress and usually best if you keep this role to yourself.
If you’re using WordPress multisite, make sure you’re using a web hosting service that can accommodate your needs. This type of installation requires a bit more power from your host. Check out our guide on the best web hosting for WordPress to see our top recommendations.
Trick #2: Limit Admins and Editors
It might be tempting to start giving people full access to your WordPress dashboard. But this isn’t a great idea. You really only need to have one administrator and one or two editors at most.
Always follow the “principle of least privilege.” This IT security concept says users should only have privileges essential to perform functions for their desired work. For example, this is why an editor can’t delete your theme or add a new plugin. These capabilities aren’t part of an editor’s job.
Trick #3: Customize Roles Accordingly
The default roles are fine for basic use, but they likely aren’t suitable for every need and potential use case. So you can change capabilities based on your workflow and customize how different users have access to your WordPress site.
For example, you might decide to give contributors the ability to upload files to WordPress. Or maybe you want to give authors the ability to moderate comments.
By installing a plugin or third-party tool, it’s much easier to customize different roles at scale.