ZeroToWP

User Roles

Quick Definition

WordPress user roles define what each person can and cannot do on your site. The five default roles — Administrator, Editor, Author, Contributor, and Subscriber — control access to content, settings, and features through a capability-based permission system.

WordPress Developer documentation on Roles and Capabilities — the official guide to the user permission system

What Are User Roles?

WordPress uses a role-based access control system to manage what each user can do on your site. Every registered user is assigned a role, and each role comes with a set of capabilities — specific permissions like "edit posts," "manage options," or "delete others posts." This system ensures that a blog contributor cannot accidentally (or intentionally) delete your entire site.

The 5 Default Roles

RoleCan DoBest For
AdministratorEverything — install plugins, change themes, manage users, edit settings, delete anythingSite owner (you)
EditorCreate, edit, publish, and delete any post or page. Moderate comments. Manage categories and tags.Content managers, team leads
AuthorCreate, edit, publish, and delete their own posts only. Upload media files.Regular writers, bloggers
ContributorWrite and edit their own posts but cannot publish. Cannot upload files.Guest writers, interns
SubscriberRead content and manage their own profile. No editing capabilities.Registered readers, members

Each role inherits all capabilities of the roles below it. On Multisite, there is a sixth role: Super Admin.

Security Best Practices

  • Principle of least privilege — Give each user the minimum role they need
  • Limit Administrator accounts — Only site owners should have Admin access
  • Use Editor for content managers — Full content control without plugin/theme access
  • Review accounts regularly — Remove inactive users, check for unknown accounts

Custom Roles and Capabilities

  • User Role Editor — The most popular role management plugin
  • Members — Custom roles + content restrictions
  • Codeadd_role() and add_cap() in functions.php

Why It Matters

User roles are a fundamental WordPress security feature. Properly assigning roles minimizes damage from compromised accounts. For multi-author blogs, agency sites, and membership sites, understanding roles is essential for both security and workflow.

Sources: Developer.WordPress.org, WordPress.org

Related Terms

Brute Force AttackA brute force attack is when hackers use automated bots to try thousands of username and password combinations on your WordPress login page until they guess the right one. WordPress allows unlimited login attempts by default, making it vulnerable.FirewallA firewall monitors and filters incoming traffic to your WordPress site, blocking malicious requests like hacking attempts and brute force attacks before they reach your server.Two-Factor AuthenticationTwo-factor authentication (2FA) adds a second verification step to your WordPress login — typically a code from an authenticator app on your phone. Even if someone steals your password, they cannot log in without the second factor.

Related Articles

WordPress File Permissions — Security Best Practices ExplainedWrong file permissions are one of the most overlooked WordPress security holes. I've seen sites hacked because wp-config.php was world-readable. Here's exactly what every file and folder should be set to, and how to fix it.WordPress Login Security — How to Stop Brute Force AttacksYour WordPress login page gets attacked dozens of times every day, whether you know it or not. I've been hardening login pages for over a decade, and these 8 measures will shut down brute force attacks completely.WordPress Security Guide: 12 Steps to Protect Your SiteWordPress doesn't get hacked because it's insecure — it gets hacked because people skip basic precautions. Here are the 12 security steps I follow on every site I build, ranked by importance.
← Back to WordPress Glossary