WordPress User Roles and Permissions: The Essential Guide

WordPress user roles and permissions offer access controls and privileges for your WordPress website. From Super Admin to Subscriber, every WordPress user who logs in to your website has a specific set of permissions or capabilities assigned.

But how familiar are you with WordPress user roles, what each means, and why it’s important that you use each correctly? You’re not alone if you don’t yet fully grasp user roles within the WordPress platform. Many WordPress site owners don’t take full advantage of the power of WordPress user roles and permissions while managing their sites.

This guide will cover everything you need to know to understand WordPress user roles and permissions. Let’s take a deeper look.

What Are WordPress User Roles?

WordPress user roles define the level of access and specific capabilities granted to a logged-in user.

A capability is a specific function or a set of actions a user can take. Each WordPress user role is clearly defined, so there are no misunderstandings about what each user role can access and the tasks they can perform.

Within a new WordPress site, you’ll see six user roles you can select from for each new user you add to your website. The user role you choose for each individual user depends on the level of permission and access you want them to have on your site.

For example, a WordPress user role defines capabilities such as:

• Who can manage comments
• Who can write blog posts
• Who can add pages
• Who can install or update plugins or themes
• Who’s allowed to add new users
• Which team members can delete spam

While you may have ignored WordPress user roles and permissions up until now, the truth is that understanding each role is essential, no matter if you’re in charge of a corporate website, news magazine, or running a personal blog.

The Six Basic WordPress User Roles

The six main WordPress user roles available in WordPress are:

1. Super Administrator (for WordPress multisite networks)
2. Administrator
3. Editor
4. Author
5. Contributor
6. Subscriber

When adding a new user in WordPress, you’ll see the role options in a drop-down menu.

Before we go any further, let’s look at each in detail.

1. Super Administrator

This Super Administrator role in WordPress is reserved for WordPress multisite networks. Individuals assigned to a Super Administrator role have full responsibilities for all sites within the network and can manage all site features within each site.

Super Administrators have the power to delete other users (even Administrators), so it’s important to only assign this role to team members that you really trust. A Super Administrator can impact (negatively or positively) many parts of your business, including your network and the other users that run your site.

A WordPress Super Admin can also create new websites, manage themes and plugins across the multisite network, and add, manage, or delete content on every site. The Super Administrator controls the network with all settings and security issues. The first user setting up the multisite network is the default Super Admin.

Just note that WordPress multisite networks are one of the most advanced ways of using WordPress as a content management system. If you don’t have a multi-site network, you won’t need to use the Super Administrator role for any of your users.

WordPress Super Admin User Role Tips

• Within a WordPress multisite network, keep the organization of your user roles simple. A single user with just a couple of sites only needs the default Super Admin. As the organization grows, create meaningful user roles for employees.
• There are many ways to configure a WordPress multisite network and its users. If you are an agency or freelancer with multiple sites, assign each client the Administrator or Editor role for a specific site.
• Concentrate on WordPress user security checks from the first login. WordPress is a favorite target for experienced hackers, and sophistication is growing in cybercrime. Browser fingerprinting is also a rising threat to privacy.
• Control network-wide settings with caution. Plan the new user registrations and welcome emails with care.

2. Administrator

In a single WordPress installation, the Administrator user role has full access to every feature within the site. For most site owners, the WordPress Administrator role is the most significant user role in WordPress.

The site Administrator role is almost always assigned to the website owner and/or the main developer and has access to all of the WordPress features, settings, and options. The Administrator is King and Chief of your WordPress site for all intents and purposes. That’s why having a good handle on the responsibilities of being a WordPress admin is a good idea.

The WordPress administrator role has full access to add and edit posts and pages, change or update site settings, add and install themes and plugins, and more.

The WordPress Administrator role can also update WordPress with any plugins and themes installed on the site. The WordPress update process is an area that needs to be approached with caution; a single mistake can take down the site.

The Administrator is also in charge of assigning user roles and permissions to other users. The Administrator user role can modify users and their permissions, another function to handle with care.

Administrator Capabilities Explained

1. Site-Wide: Update WordPress core files, manage all settings, manage HTML and JavaScript code for all users
2. Plugins: install, edit, and delete
3. Themes: install and switch, edit widgets and menus, access the customizer
4. Users: create, edit, and remove
5. Posts and Pages: add new, publish, and manage taxonomies

Administrator User Tips

• Limit the number of users given the Administrator user role. Ideally, there should only be one user who controls the WordPress installation.
• Your WordPress security begins and ends with the WordPress Administrator user role. Since WordPress administrators have full access to all things on the site, a WordPress admin needs a very secure WordPress login. This means using a strong password, two-factor authentication, or even a passwordless login feature provided by a WordPress security plugin like Solid Security Pro.
• WordPress admins must keep WordPress core files updated and secure. Administrators are also responsible for updating plugins and themes, an important part of effective WordPress security and maintenance.

3. Editor

The Editor user role in WordPress manages and creates content for your WordPress site. An Editor can create, delete, and edit any site content, including content produced by other users with permissions equal to or lower than an Editor.

Editor users manage all site edits and approve/schedule content submitted by Contributors and Authors. However, an Editor cannot access plugins, widgets, WordPress settings, or adding or removing users.

An Editor’s job involves one major thing: content. And that’s all they can access in the WordPress dashboard. Editors can also manage site categories and add or delete custom tags. Changing taxonomies and uploading files to the site are other responsibilities of the Editor role. Editors also have full control of comments. They can moderate, approve, or delete any comment.

Who Should Have the Editor User Role?

The Editor’s role should go to someone Administrator’s trust. Roles can be tweaked throughout WordPress; if needed, permissions of the Editor role can be reduced or changed as trust is gained.

• The manager of a content team or online publication
• Marketing managers responsible for content
• Small business owners can wear both hats (Administrator and Editor user roles)

Editor vs. Author

New users may see WordPress Editors and Authors in the same light. In many ways, they are. However, there are differences.

• Pages: Editors can access all pages with permission to add, edit, or delete. Authors have no such access
• Content: Editors have access to all content on the site. In a multisite network, only single-site permissions are given to Editors. Editors can delete or edit all content. Authors have access to edit or delete only the content they have produced.

4. Author

As you probably suspected, the Author user role in WordPress has the ability to write, draft and publish new content on your site. They also have access to content in your WordPress media library. They’ll need this level of access to produce great blog posts.

The Author user role is normally assigned to new associates that you hire to focus on pushing out great content. Authors have a limited set of permissions within a WordPress installation. The role can add, edit, or delete their content, but have no access to other content, or site settings. Author roles can be as extensive or limited as the Editor or Administrator allows. The authors have permission to upload content and images.

The Author role also has the power to edit reader comments. However, they can only edit comments that are left on their posts.

Authors won’t be able to access posts or pages created by other users. They also can’t add plugins, create any new categories, change site settings or do anything else that will impact site performance.

Who Should Have the Author User Role?

• Organizations that have dedicated content creation or marketing teams such as reporters, public relations, company spokespeople
• Any company that distributes information — such as a news channel, or sports companies — should give reporters the Author role. Additional permissions can be given on an as-needed basis

A Note of Caution For the Author Role

• Be cautious about giving the user role of Author to someone who is not in your employ or who is untrustworthy. If they create a lot of content and then leave the company, the Author can delete every bit of content if you do not quickly disable or demote their privileges.
• It is always a best practice to delete ANY Author user role leaving the site and reassign the content to another Author. If a user is leaving with plans to return, change the password immediately and take away any granted permissions. Reinstate the role when the user returns.

5. Contributor

The Contributor user role can write blog posts or articles but can’t publish them. When they complete a draft, it goes into the draft section for an Administrator or Editor to review before publishing.

The Contributor user role has very few permissions in a WordPress installation. The default permission is the ability to submit content for review. Contributors cannot publish the content or upload any associated images. Only an Editor or an Administrator can publish the content. Once the content is published, a Contributor no longer has access to that content.

Contributors submit their content to either an Administrator or Editor for review. Here is an overview of the post-submit and approval process:

1. Contributors write their content in the WordPress Editor and, when they’re finished, click the “Submit for Review” button.
2. Editors or an Administrator log into WordPress and locate the post among those pending approvals.
3. The post is edited for grammatical errors, and images should be inserted at this stage. The Admin or Editor then clicks the “Publish” button.
4. The Administrator or Editor must make any future edits or changes because the original Contributor can no longer access the post.

A Contributor also won’t have any access to the WordPress media library. Adding photos, images, or videos to an article submitted by a Contributor will be up to an Admin or Editor.

Those assigned permissions as a Contributor also can’t delete, alter, or approve user comments.

Who Should Have the Contributor User Role?

Do you have community members who contribute articles and content to your site? Do you allow guest posts? If so, Contributor is the role you’d assign them.

• Writers outside the organization who can contribute to the blog
• Entry-level content writers that need heavy editing should be contributors

Contributor vs. Author

• Publishing content: Authors have permission to publish and edit their content and no other. Contributors can only submit their posts for review. Once a Contributor’s content is published, only the Administrator or Editor can edit the piece
• Media and images: Contributors have no access to images or media. Authors can upload and edit their media

6. Subscriber

The Subscriber role is the most bare-bones user role you can assign to someone on your WordPress site. In fact, WordPress uses this role as the default one for all new site users.

You can think of the Subscriber role as being like one of your social media followers. Basically, a Subscriber follows your blog and wants to be a part of it.

Subscriber Capabilities

There are two main permissions for the WordPress Subscriber role. They can view their profile and view the dashboard. Subscribers have no permission to edit content or any WordPress site settings.

Depending on the overall functionality of your site, a Subscriber may be able to interact with other users and Subscribers, but they don’t have any access to your WordPress dashboard or editing tools.

Subscribers can be used as an inclusionary or entry-level access tool for marketing purposes. By default, Subscribers have no access to site settings or content, making the role inherently safe.

Who Should Have the Subscriber User Role?

As a marketing tool, the Subscriber role is a perfect entry point to your site. Subscribers have the most restrictive role; however, it gives the person a profile, which is all a person needs to feel included.

WordPress User Role Comparison Chart

Below is a comparison chart of WordPress user roles and their capabilities.

Capability	SuperAdmin*	Administrator	Editor	Author	Contributor	Subscriber
Create sites	Y	N	N	N	N	N
Delete sites	Y	N	N	N	N	N
Manage network	Y	N	N	N	N	N
Manage sites	Y	N	N	N	N	N
Manage network users	Y	N	N	N	N	N
Manage network plugins	Y	N	N	N	N	N
Manage network themes	Y	N	N	N	N	N
Manage network options	Y	N	N	N	N	N
Upload plugins	Y	Y (single site)	N	N	N	N
Upload themes	Y	Y (single site)	N	N	N	N
Upgrade network	Y	N	N	N	N	N
Setup network	Y	N	N	N	N	N
Activate plugins	Y	Y (single site or enabled by network setting)	N	N	N	N
Create users	Y	Y (single site)	N	N	N	N
Delete plugins	Y	Y (single site)	N	N	N	N
Delete themes	Y	Y (single site)	N	N	N	N
Delete users	Y	Y (single site)	N	N	N	N
Edit files	Y	Y (single site)	N	N	N	N
Edit plugins	Y	Y (single site)	N	N	N	N
Edit theme options	Y	Y	N	N	N	N
Edit themes	Y	Y (single site)	N	N	N	N
Edit users	Y	Y (single site)	N	N	N	N
Export	Y	Y	N	N	N	N
Import	Y	Y	N	N	N	N
Install plugins	Y	Y (single site)	N	N	N	N
Install themes	Y	Y (single site)	N	N	N	N
List users	Y	Y	N	N	N	N
Manage options	Y	Y	N	N	N	N
Promote users	Y	Y	N	N	N	N
Remove users	Y	Y	N	N	N	N
Switch themes	Y	Y	N	N	N	N
Update core	Y	Y (single site)	N	N	N	N
Update plugins	Y	Y (single site)	N	N	N	N
Update themes	Y	Y (single site)	N	N	N	N
Edit dashboard	Y	Y	N	N	N	N
Customize	Y	Y	N	N	N	N
Delete site	Y	Y	N	N	N	N
Moderate comments	Y	Y	Y	N	N	N
Manage categories	Y	Y	Y	N	N	N
Manage links	Y	Y	Y	N	N	N
Edit others post	Y	Y	Y	N	N	N
Edit pages	Y	Y	Y	N	N	N
Edit others pages	Y	Y	Y	N	N	N
Edit published pages	Y	Y	Y	N	N	N
Publish pages	Y	Y	Y	N	N	N
Delete pages	Y	Y	Y	N	N	N
Delete others pages	Y	Y	Y	N	N	N
Delete published pages	Y	Y	Y	N	N	N
Delete others posts	Y	Y	Y	N	N	N
Delete private posts	Y	Y	Y	N	N	N
Edit private posts	Y	Y	Y	N	N	N
Read private posts	Y	Y	Y	N	N	N
Delete private pages	Y	Y	Y	N	N	N
Edit private pages	Y	Y	Y	N	N	N
Read private pages	Y	Y	Y	N	N	N
Edit published posts	Y	Y	Y	Y	N	N
Upload files to media library	Y	Y	Y	Y	N	N
Publish posts	Y	Y	Y	Y	N	N
Upload files to the media library	Y	Y	Y	Y (if author)	N (if author)	N
Edit posts	Y	Y	Y	Y (if author)	Y (if author)	N
Delete posts	Y	Y	Y	Y (if author)	Y (if author)	N
Read pages and posts	Y	Y	Y	Y	Y	Y

How Do I Add a New User in WordPress?

Adding a new user in WordPress requires that you be an Admin user. From there, adding a new user in WordPress is straightforward. This is where you will initially assign the user a role and permissions.

Of course, as an Administrator, you can always change the user’s role later if it suits your needs better. More on that in a minute.

The steps to add a new user to your WordPress site are as follows:

1. log in to the WordPress Admin dashboard: https://examplesite.com/wp-admin.

2. Click on the Users menu item in your WordPress Admin dashboard menu, then click Add New.

3. Enter the new user’s name, email address, first and last name, and website. (Only the email is required.)

4. Select the user role as defined above.

5. Click the checkbox in front of “send the new user an email about their account.”

6. Click the Add New User button to add the new user.

Repeat these steps for each new user, paying close attention to the user roles and permissions you assign to each.

Tips For Adding New WordPress Users

Author, Contributor, and Subscriber roles are straightforward in their creation and permissions. The Super Admin, Administrator, and Editor positions can be a major area of strength for the organization if carefully considered and plotted out.

• Multi-site installations should have only one Super Admin, regardless of the number of sites in the network. Super Admins are responsible if there is a security, user, or core file issue. Security should be on the mind of every person involved with a website, but having multiple Super Admins can wreak havoc.
• Designate a single Administrator or Editor for each additional site in a multisite network. If there are hundreds of virtual sites, give Administrators or Editors more than one site to manage.
• Freelance web developers selling sites or agencies should give Administrator duties to each site owner but strictly forbid access to any network setting.

How Do I Find User Roles in WordPress?

For existing users, you may want to look into the user roles that are currently assigned. After all, some of these roles may have been assigned before you thoroughly understood WordPress user roles and permissions.

Now is the time to verify your currently assigned user roles.

To do this, simply follow these steps:

1. log in to the WordPress admin dashboard.

2. In your WordPress admin dashboard, click on the Users section, then click All Users.

4. View the list of all of your current users.

5. Next to the Email column, you’ll see Role. This is the user role assigned to each site user.

Now that you know the role assigned to each user, perhaps you want to make a few assignment adjustments.

How Do I Change User Roles in WordPress?

A WordPress user role change is immediate, and the user will be notified by email of their new role on your site.

To change a WordPress user role, follow steps 1-4 above. Once you’re viewing the list of all of your site users, you’ll want to:

1. Hover over the name of the user you want to update. Upon hovering over the selected user, you’ll get edit options presented to you.

2. After clicking to edit, you can change fields such as name, email, and website. You cannot, however, change a username here.

3. At the bottom of the user profile, you’ll see a dropdown menu that allows you to change/select the user role.

4. Choose the new user role.

5. Save the user profile.

The role and permission changes are implemented by WordPress the instant you save them.

How Do I Delete An Existing User?

There will probably be times when a user needs to be removed completely from your site.

Perhaps you hired a temporary freelance Editor to provide editing services for your site over two months. When the two-month time period expires, and the contract is up, you no longer want the freelancer to have access to your site.

To delete this user and remove all their permissions to your website, follow steps 1-4 above to find a user.

After you locate the user that will be deleted, hover over their name and click on the delete option.

After you confirm the deletion, the user will be notified via email that they have been removed from your site. They’ll no longer have any credentials to log in.

It’s important to note that you cannot delete yourself or other Administrators (unless you’re a Super Administrator on a multi-site account).

How Do I Manage User Roles in WordPress?

How you manage user roles and permissions on your WordPress site is completely up to you. After all, who knows your team members’ abilities and limitations as well as you do?

Before you choose the appropriate roles for each user on your site, step back and ask yourself a series of questions about them.

• Can the user be trusted to manage your WordPress dashboard?
• Do you trust the user to organize the content on your site correctly?
• Do you need to review the user’s posts before they get published? Or do you trust their judgment?
• Should the user be able to edit and publish posts from other users?

Before assigning a new user to the Administrator role, they must thoroughly understand the WordPress platform.

WordPress User Security

The security of the users on your website matters. A lot! Why? A single Admin user with a weak password could undermine all other website security measures you have implemented. That is why it is critical to audit the security strength used by the Administrator and Editor users on your website.

The Solid Security Pro plugin’s User Security Check allows you to quickly audit and modify 5 critical elements of user security:

1. Two-Factor Authentication Status
2. Password Age & Strength
3. Last Time Active
4. Active WordPress Sessions
5. User Role

In addition, the Solid Security Pro plugin has a ton of tools that you can use to increase the WordPress user security on your website. Solid Security Pro’s Passkeys, Two-Factor Authentication, and Password Requirements features protect your WordPress users from almost all automated bot attacks.

However, these user security tools are only effective if the users on your website are actually using them.

7 Tips to Secure Your WordPress Users

Let’s look at what you can do to secure your WordPress users. The truth is that these security methods will help secure every type of WordPress user. But, as we go through each method, we will let you know which users should be required to use it.

1. Only Give People the Capabilities They Need

The easiest way to protect your website is by only giving your users the capabilities they need and not anything more. If the only thing someone will do on your website is to create and edit their blog posts, they don’t need the capability to edit other people’s posts. They should be Authors or Contributors.

2. Limit Login Attempts

Brute force attacks refer to a trial and error method to discover valid username and password combinations and hack into a website. By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make.

Without a limit on the number of failed login attempts, an attacker can make, they can keep trying an endless number of usernames and passwords until they are successful.

The Solid Security Pro Local Brute Force Protection feature keeps track of invalid login attempts made by IP addresses and usernames. Once an IP or username has made too many consecutive invalid login attempts, they will get locked out and will be prevented from making any more login attempts.

3. Secure WordPress Users with Strong Passwords

The stronger your WordPress user account password is, the harder it is to guess. It takes 0.29 milliseconds to crack a seven-character password. But, a hacker needs two centuries to crack a twelve-character password!

Ideally, a strong password is a twelve-character alphanumeric string. The password should contain upper and lower case letters and other ASCII characters.

While everyone can benefit from a strong password, you may only want to force people with Author level capabilities and above to have strong passwords.

The Solid Security Pro Passwords Requirement feature allows you to force specific users to use a strong password.

4. Refuse Compromised Passwords

Hackers often use a form of brute force attack called a dictionary attack. A dictionary attack is a method of breaking into a WordPress website with commonly used passwords found in database dumps. The infamous “Collection #1″ Data Breach hosted on MEGA is an early example. It included 1,160,253,228 unique combinations of email addresses and passwords. That is a billion with a ‘B.’

It is a must to prevent users with Author level capabilities and above from using compromised passwords. You may also consider not letting your lower-level users use compromised passwords.

It is completely understandable and encouraged to make creating a new customer account easy. However, your customer may not know that their password has been found in a data dump. You would save your customer a lot of grief by alerting them that their password has been compromised. If they use that password everywhere, you could save them from major problems.

The Solid Security Pro Refuse Compromised Passwords feature forces users to use passwords that have not appeared in any password breaches tracked by Have I Been Pwned.

5. Secure WordPress Users with Two-Factor Authentication

Two-factor authentication verifies a person’s identity by requiring two separate verification methods before they can log in. Google shared on its blog that using two-factor authentication can stop 100% of automated bot attacks. I really like those odds.

At the very least, you should require your Admins and Editors to use two-factor authentication.

The Solid Security Pro Two-Factor Authentication feature provides flexibility when implementing 2FA on your website. You can enable two-factor for all or some of your users and force your high-level users to use 2FA on each login.

6. Limit Device Access to the WP Dashboard

Limiting access to the WordPress dashboard to a set of devices can add a strong layer of security to your website. If a hacker isn’t on the correct device for a user, they won’t be able to use the compromised user to inflict damage on your website.

You should only limit device access to your Admins and Editors.

The Solid Security Pro Trusted Devices feature identifies the devices you and other users use to log in to your WordPress site. When a user has logged in on an unrecognized device, Trusted Devices can restrict their administrator-level capabilities. This means that even if an attacker can break into the backend of your WordPress site, they won’t be able to make any major changes to your website.

7. Secure WordPress Users from Session Hijacking

WordPress generates a session cookie every time you log into your website. Let’s say that you have a browser extension that has been abandoned by the developer and is no longer releasing security updates. Unfortunately for you, the neglected browser extension has a vulnerability. The vulnerability allows bad actors to hijack your browser cookies, including the earlier-mentioned WordPress session cookie. This type of hack is known as Session Hijacking. So, an attacker can exploit the extension vulnerability to piggyback off your login and start making malicious changes to your WordPress user accounts.

You should have session hijacking protection in place for your Admins and Editors.

The Solid Security Pro Trusted Devices feature makes Session Hijacking a thing of the past. If a user’s device changes during a session, Solid Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.

WordPress User Role Plugins

When you dive into WordPress user role plugins, you’ll find that many of the most popular plugins utilize and manage user roles and permissions outside the six main roles we’ve discussed.

Some plugins allow you to make and assign custom user roles and groups. The plugins we’ll cover here are:

• bbPress
• BuddyPress
• WooCommerce
• Restrict Content
• Solid Security

Each of these plugins enables custom user role creation but in different ways.

bbPress

The bbPress plugin is a WordPress discussion forum that requires unique user roles outside the main six offered within WordPress.

bbPress

The first user role built into the bbPress plugin, Keymaster, sits above the others. Keymasters are similar to the Administrator in WordPress core. Kaymasters have access to all tools and settings. They can edit, create, or delete other users’ forums, topics, comments, and replies. The Keymaster is also a forum moderator and manages all tags.

bbPress then offers the Moderator role. This role is responsible for creating, editing, deleting, and moderating forums. They also have full control over user topics and replies. However, a Moderator doesn’t have access to site settings.

A Participant is a member of the community. They can create and edit their topics and replies, but nothing else.

Spectators can only read topics and replies. They can’t reply or get involved in other ways.

Blocked users are ones you simply don’t want in the community any longer.

The bbPress plugin also allows you to make your customized user roles (Pupil and Tutor, for example) by adding code into the codex. You can assign your customized permissions to each role you create. You can also change the names of the existing bbPress user roles.

BuddyPress

BuddyPress is a WordPress community plugin that allows you to build a social network within your website.

BuddyPress

You can make private, public, and hidden groups with the BuddyPress plugin. You can then assign user roles to manage your groups.

The Member user role is the default role within BuddyPress. This gets applied to any user who signs up and joins a group. A user with a Member role can submit and post content to the group forums. Sometimes, they can see other group members and send them invites or direct messages.

A BuddyPress Moderator is an upgraded user role with additional permissions, including closing, editing, or deleting topics in the forum. But be careful, because they’ll also be able to do the same with content produced by other plugins you’re running on your WordPress site.

As with the WordPress platform and other plugins, the Administrator role in BuddyPress has full control over groups and settings. An Administrator can change the settings in a group, the group avatar, and manage group members. They can also delete entire groups.

WooCommerce

WooCommerce is a highly popular WordPress plugin to help turn your WordPress site into a robust e-commerce site.

When you install WooCommerce on your site, you’ll instantly have the power to start listing products, posting product images, writing product descriptions, and taking online orders.

WooCommerce

As such, WooCommerce offers two user roles outside the standard six in WordPress. These roles are:

• Customer: any user that signs up on your WooCommerce site or registers with you at checkout. Customers are very similar in permissions to Subscribers.
• Shop Manager: this person manages the WooCommerce shop but does not have Administrator permissions. They will automatically have Customer permissions but can also manage products listed in the store and view sales reports.

Pretty straightforward stuff.

Restrict Content

The free Restrict Content plugin allows you to set up content restrictions based on custom membership levels, which can be applied to the default WordPress user roles. This can be helpful for controlling who can see content on a WordPress site, based on their membership level and/or WordPress user role.

Membership Plugin – Restrict Content

Use Restrict Content as a WordPress content restriction plugin to:

• Restrict access to your WordPress site-based user role. Limit access to full content via a simple interface on the post, page, and custom post-type editing screens.
• Control user access to content based on WordPress user role, access level(s), or membership level(s).
• Protect sensitive content.
• Clearly separate public content from private content
• Restrict access to entire pages or specific sections
• Let users register and log in from the front end of your site

Solid Security

Solid Security is an excellent WordPress security plugin with many features for securing your WordPress website.

Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Solid Security offers temporary privilege escalation to give users higher access for a limited time, after which they will lose the extra privileges. This is useful when only allowing a user to work on your site in an Administrator capacity for a short time.

You can also use the Solid Security User Groups feature to save time securing your website. To make it easier to manage user security on your site, Solid Security Pro sorts all of your users into different groups. Your users will be grouped by their WordPress user roles and capabilities by default. Then, you can assign unique login security requirements appropriate to each group.

For example, if you are running a WooCommerce site, your site Administrators and Shop Managers could be placed in a common Admin User Group because they have similar capabilities. Similarly, your Subscribers and Customers could be placed in a single User Group.

In Solid Security’s User Groups settings, you will see all your user groups and all the security settings enabled and disabled for each group. You can quickly toggle these settings on and off.

How to Customize WordPress User Roles and Permissions

Beyond the user roles we’ve already discussed, you can add more roles by using plugins designed to allow you to create custom user roles for WordPress. Here are a few plugins and tools to check out.

Solid Central Client Dashboards

Solid Central is a tool to help you manage multiple WordPress sites. With Central, you have one dashboard to perform WordPress admin tasks for all your WordPress websites. Central is especially helpful if you build or maintain websites for clients as a web design agency, marketing agency, or freelancer.

The Solid Central Client Dashboard feature was built to customize how WordPress users see the admin dashboard. It is a way of customizing WordPress user roles and permissions.

For example, if you have a client that you want to make an Administrator, but don’t want to see certain areas of the site, such as themes or plugins, you can accomplish this task with Client Dashboard.

Client Dashboard can be activated per user, and then you can select the WordPress dashboard menu items to allow that user to see and operate. It’s also a way of following the security principle of the least privilege: only show a user and give them access to what they need to perform their role. Nothing extra. It makes their work easier, too.

User Role Editor

If you want to customize your standard user roles in WordPress, the User Role Editor is a good plugin to look into. The User Role Editor will allow you to create your roles, permissions, and user capabilities.

User Role Editor

You can also use it to change or rename roles or delete them altogether. The plugin has a free and a paid version.

Advanced Access Manager

Whether running a huge WooCommerce store on your site or operating a standard WordPress blog, you may be looking for additional control over managing access to your content.

Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

User Access Manager could be the plugin to help you out. Advanced Access Manager can be used to set up a restricted member area of your site, utilizing user roles and permissions. It also assists you in managing users in the private sections of your site.

Yoast SEO

The Yoast SEO plugin is a great place to start if your team is focused on improving your content’s SEO (Search Engine Optimization).

Yoast SEO

This plugin allows you to create two non-standard user roles:

• SEO Editor
• SEO Manager

Why are these two new user roles beneficial to you as a WordPress site owner?

Assigning roles within Yoast SEO will empower your team members to do SEO-related work without manually tracking results or asking you to make site changes for them.

As Yoast’s blog says:

“Two new roles, the SEO editor and SEO manager, make for a much more flexible solution when working with multiple people on your site. The Administrator can determine who gets to see and do what, while the users get the tools they need to do their work.”

The Yoast SEO plugin is another tool that puts WordPress user roles and permissions at the forefront of administrative efficiency.

Wrapping Up: Understanding User Roles and Permissions in WordPress

To recap: The top three management user roles in a WordPress installation have areas of the site specifically designed for that position. Super Admins and Administrators control the dashboard and core files — and the site itself. While Editors control the content manager and other content. Authors and Contributors control only their content and no other. Subscribers can access only the content and permissions given to the role by the management positions.

After studying the information in this article, you now have a much deeper understanding of user roles and permissions in the WordPress platform. As you can see, the roles you assign to each of your users play a big part in how efficiently you run your website.

But no matter how careful you are in ensuring all user roles are assigned to the best people, sometimes mistakes will happen. For example, when the new employee you just assigned as an Administrator causes your site to crash when activating a new and untested plugin, a WordPress backup plugin like Solid Backups will be an absolute lifesaver. Ensure your backup plugin is installed and activated before a disaster like this happens.

As with other areas of WordPress, properly assigning user roles and permissions will take a little trial and error. But you’ll make more informed decisions with the information you’ve just learned.