Most WordPress bloggers are individuals who administer almost every single aspect of website management and content writing without needing to give other people access to their WordPress installation. They tend to use their administration account that WordPress creates by default on installation and don’t give much thought about managing other users.
When a site grows beyond a certain size, begins to accept contributions from external content creators, or is a business site that needs to give access to multiple members of staff, user permissions become an issue.
WordPress has a built-in mechanism for allowing accounts to have different levels of access. WordPress user roles and capabilities are powerful tools for creating fine grained permissions for every user account.
Today we will take a look at WordPress roles and capabilities. We will deliberate when to use them, why WordPress owners should use them, and how to manage user roles. We’ll specifically concentrate on single site WordPress installations; there are some complications concerning multisite installations that we won’t be discussing in this article.
WordPress Roles And Capabilities
WordPress user roles are used to determine which functionality a WordPress user has access to. That access is determined by the capabilities that each user role has. Capabilities can be thought of as tasks within a WordPress site. Each user role has a set of associated capabilities that specify precisely what a user account with that user role can do.
As I said, most people are familiar with the default admin account (which, for security reasons, they should remove). The account with the username “admin” is not particularly special in itself, it is a user account like any other, but it is given the user role “Administrator”, which has a broad range of capabilities associated with it. The Administrator user role is one of six that are predefined within WordPress.
The six user roles are:
- Super Admin — This roles is used in multisite installations and denotes a user that has access to the administration features of all sites in a network.
- Administrator — Is able to perform all administrative capabilities for a single site.
- Editor — Can publish and manage the posts of all users, but doesn’t have access to other administrator capabilities.
- Author — Can write and publish their own posts.
- Contributor — can write their own posts, but can’t publish.
- Subscriber — The lowest access level. Subscribers can only manage their own profile.
Adding New Users In WordPress
There are too many capabilities to detail in depth in this article, but they encompass almost every aspect of WordPress administration and publishing. To see the full range, take a look at the capabilities article in the WordPress Codex.
As you can see from the list of user roles, the default setup is appropriate for blogging and other publishing sites, but not so suitable for many other business situations.
Fortunately, it’s possible to create additional user roles and associate them with a set of capabilities. This creates a very powerful way of giving precisely selected sets of abilities to different groups of users.
Managing User Roles
WordPress itself doesn’t offer a very intuitive interface for managing user roles beyond the default set, but there are plugins that provide a straightforward interface into the user roles API. Capability Manager Enhanced implements an easy-to-use interface for creating WordPress roles and changing their capabilities.
Managing User Roles With Capability Manager Enhanced
When Should You Use WordPress Roles?
One of the worst mistakes a website owner can make is to simply give everyone an Administrator account. That is extremely insecure. Each user should only be given the access they need to accomplish the tasks they are entrusted with.
For the most part, using the default set of user roles is sufficient. But, if you find that those roles don’t fit the way your site or business works or lead to you giving more permissions than are absolutely necessary — giving editors administrator roles just so they can run updates, for example — then creating new roles that better fit your needs will ensure that your site remains secure without limiting necessary access.