One of the essential features of WordPress is user roles. They determine user permissions and control user access to the website content. If you have writers or site developers other than yourself, understanding user roles helps maintain website security.
Perhaps you have contributors who write guest posts on your site. Maybe you have regular authors that you trust to publish articles. All of their access is controlled through the use of roles.
In this article, I’ll show you how to configure WordPress roles. I’ll also introduce a plugin that allows you to edit existing roles and create new ones. As a result, you’ll be able to govern who does what on your website precisely.
Understanding WordPress Roles and Permissions
User roles and permissions control who can do what on your website. Every user registration is potentially different. You want to be familiar with user roles so you can allow users sufficient access without making everyone an administrator.
User roles should include only the permissions necessary for the role, nothing more. You don’t want an author, whose only task is writing, to have administrator permissions. It’s unnecessary, confusing for the author, and potentially disruptive or destructive. Someone with too much access can be accidentally harmful; there doesn’t have to be any malicious intent.
Roles provide a way to restrict access to critical site tools. In most cases, only administrators need access to site configuration, plugins, and themes. Authors and other contributors don’t need access to site configuration tools or features. So make sure they don’t have it.
User roles can be changed or modified to grant or remove permissions. I’ll show you how it’s done in a minute.
The Default WordPress User Roles
When you install WordPress, several user roles are created by default.
- Subscriber: Has read access and minimal control of their own profile.
- Contributor: Has read, delete, and edit permissions for their own posts, but not the ability to publish.
- Author: Has full control of their own posts without the ability to create new categories.
- Editor: Has full control of the content areas of the site, such as adding and deleting of posts.
- Administrator: Has complete control of the WordPress system.
There is also a “Super Admin” role that you’ll see if you use the WordPress Multisite feature. In a single-site WordPress installation, Administrators have the same permissions as the Multisite “Super Admin.”
Installing plugins may create additional user roles. For example, eCommerce plugins might include roles such as “Shop Vendor” or “Shop Manager.”
How to Set WordPress Roles and Permissions
Changing the role of a user is a simple process.
In the left column navigation, mouse over the “Users” link and click the “All Users” link.
The Users page shows a list of everyone registered on your website. To the right of each name, you’ll see their role in the “Role” column.
Mouse over the user you wish to change and click the “Edit” link.
On the “Edit User” page, you’ll see several available options. You can remove the Visual Editor for the user, change the color scheme, etc. But we want to change the role, so go to the “Role” drop-down and choose the new role.
You cannot change your own role.
Scroll to the bottom of the page and click the “Update User” button.
Certain plugins will install other features you may want to consider when setting permissions on your site. For instance, Yoast SEO will include the ability to disable a user from accessing the analysis part of the plugin in a post or page.
How to Create Custom User Roles in WordPress
The strength of WordPress lies in its ability to be customized to suit any site owner’s needs. Whether you want to add custom styles to the editor or fine-tune the website appearance, the possibilities seem endless.
So with that in mind, understand that you don’t have to settle for the default WordPress roles. Using the PublishPress Capabilities plugin gives you the ability to customize user controls.
Installing the PublishPress Capabilities Plugin
Log in to your WordPress admin panel.
In the left column navigation, mouse over the “Plugins” link and click the “Add New” link.
In the “Search plugins…” box, enter, “PublishPress Capabilities.”
When you find the plugin, click the “Install Now” button.
Now the plugin is installed, but it has to be activated before you can use it.
Click the “Activate” button.
That’s all there is to it. Now let’s put the plugin to work.
Configuring PublishPress Capabilities
In the left column navigation, mouse over the “Capabilities” link and click the “Capabilities” link.
The two ways you’ll most likely use the plugin are to change existing roles and to create new roles.
Changing an Existing WordPress User Role
First, choose the role you want to edit from the “Select role to view/edit” drop-down.
Check the box for permissions you want to add, uncheck the box for permissions you want to remove.
When you have the role configured as you’d like, click the “Save Changes” button.
Creating a New WordPress User Role
The coolest feature of the PublishPress Capabilities plugin is the ability to create new WordPress user roles.
You can’t edit permissions on a per-user basis, but by creating a new role just for a specific user, you can essentially do the same thing. Set customer permission for a single user (or group of users).
To create a new user role, go to the “Create New Role” section, and enter a name into the field. Whichever users you add to this role will see the name, so keep that in mind.
Click the “Create” ‘button.
The new role is created, and you’re brought to the familiar “Role Capabilities” page. Check the box for each permission you want to grant to the new role.
Click the “Save Changes” button to save the new user role configuration.
Now you can edit any users that you want to have the new role (as we did in the “How to Set WordPress Roles and Permissions” section).
Now You Know More About WordPress User Roles
Taking a close look at user roles in WordPress will give you a sense of control, knowing who can do what. And knowing how to tailor those roles to individuals makes your life as a WordPress administrator much more manageable.
As I mentioned, incorrect permissions in the wrong hands can cause damage. The “wrong hands” are those of any user who doesn’t need to have the permission. Make sure only trusted users have administrative permissions.
If you inherited a site with multiple users, you might want to set everyone back to a role with low-level permissions and start over. Granting more advanced roles to the users who need them.
How many users do you have using your website? What tools would you give to those who register an account?