ZeroToWP

Capability

Quick Definition

A capability is a specific permission in WordPress that controls what a user can and cannot do — like editing posts, publishing content, or managing site settings.

WordPress Roles and Capabilities documentation on wordpress.org

What Is a Capability?

A capability in WordPress is a single, specific permission that determines whether a user can perform a particular action. Think of it as a key on a keychain — each key opens a different door. Capabilities like edit_posts, publish_posts, upload_files, and manage_options each unlock a different piece of functionality in the WordPress admin.

Capabilities are grouped into roles. WordPress comes with six built-in roles, each with a different set of capabilities:

  • Super Admin — Full control over an entire Multisite network
  • Administrator — Complete control over a single site (all capabilities)
  • Editor — Can publish, edit, and delete any post, including other users posts
  • Author — Can publish and manage their own posts only
  • Contributor — Can write and edit their own posts but cannot publish them
  • Subscriber — Can only read content and manage their profile

Each role is essentially a bundle of capabilities. An Administrator has capabilities like manage_options, install_plugins, and edit_users. A Contributor only has edit_posts and read. When WordPress needs to decide whether to show a menu item, allow an action, or display a settings page, it checks the current user's capabilities.

In code, you check capabilities using the current_user_can() function:

if ( current_user_can( 'edit_posts' ) ) {
    // Show the edit button
}

This is the foundation of WordPress security. Instead of checking "is this user an Administrator?", you check "does this user have the manage_options capability?" This is more flexible because you can add or remove individual capabilities from any role without changing the role itself.

Capabilities in Practice

Plugin and theme developers create custom capabilities to control access to their features. For example, a WooCommerce store might have a capability like manage_woocommerce that controls who can access the store settings. You can assign this to a custom "Shop Manager" role without giving them full Administrator access.

WordPress provides functions to manage capabilities programmatically:

  • add_role() — Create a new role with a set of capabilities
  • add_cap() — Add a capability to an existing role
  • remove_cap() — Remove a capability from a role
  • remove_role() — Delete a role entirely

Plugins like User Role Editor and Members provide a visual interface for managing capabilities without writing code — useful if you need to create custom roles for a client site with specific access levels.

Why It Matters

Understanding capabilities is essential for any WordPress site with multiple users. Whether you are running a blog with guest authors, a membership site, or a WooCommerce store with staff, capabilities let you control exactly who can do what. Getting this right protects your site from accidental (or intentional) damage by limiting each user to only the permissions they actually need — a security principle known as "least privilege."

Sources

Related Terms

HookA hook is a specific point in WordPress code where you can add your own functionality or modify existing behavior. There are two types: actions (do something) and filters (change something).MultisiteWordPress Multisite lets you run multiple independent WordPress sites from a single installation. All sites share the same codebase, plugins, and themes, but have their own content and settings.wp-config.phpwp-config.php is the most important configuration file in WordPress. It contains your database credentials, security keys, and core settings that WordPress needs to connect to your database and run.wp-config.phpwp-config.php is the main configuration file for WordPress that stores your database credentials, security keys, and other critical site settings.

Related Articles

WordPress Login Security — How to Stop Brute Force AttacksYour WordPress login page gets attacked dozens of times every day, whether you know it or not. I've been hardening login pages for over a decade, and these 8 measures will shut down brute force attacks completely.WordPress Security — The Complete Guide to Protecting Your SiteAfter 20 years of building WordPress sites, I've cleaned up more hacked sites than I care to remember. Most of those hacks were completely preventable. This is everything I know about keeping WordPress secure — no fear-mongering, just practical steps that actually work.
← Back to WordPress Glossary