WordPress User Roles Explained

As one of the most popular content management systems in the world, WordPress is used to power millions of sites ranging from small hobby blogs to international news publications.

When first starting out, you’d be forgiven for overlooking the importance of functionality such as ‘user roles’ in Wordpress. However, as your website grows and you wish to allow employees, agencies or guest bloggers to access your website and its content, the ability to control user access can quickly become very important.

In this guide we’ll be covering what user roles are, why they’re important and how to set them up for your website.

What are user roles in WordPress?

(and why you need them)

User management and permissions (sometimes referred to as ‘roles’) come as a standard component of the WordPress content management system.

It essentially allows you to give other people access to your website in a secure way, whereby they have their own username and password as well as a set of permissions which define what actions they can and cannot perform when logged into the backend of your website.

You may be thinking to yourself “can I not just share my login details if I need someone else to make changes to my website?” and yes you can, but this is bad practice and not recommended for several reasons.

The first is that you would be giving someone administrator-level access to your website, allowing them to add, edit and delete anything they want on your site.

In addition to this, if you have multiple users logging in, you will have no way of tracking which user has created which blog post/page on your website - different user accounts makes traceability and accountability infinitely easier.

The final key reason is that if you wish to revoke someone's access to your site in the future, you are able to simply remove their account from the system. In contrast, if everyone shared the same username/password, you would have to change this and then communicate the updated password to all other users!

Inviting users to your WordPress website

Now that you understand the importance of controlling user access in a managed way, let’s look at how this can be setup in WordPress. To view a list of everyone who has access to your site, login to the admin panel and click the ‘Users’ link on the left hand sidebar:

As shown in the above screenshot, you will be presented with a list of your website’s users along with their email address, name, role and the number of posts they have created.

You can edit an existing user by hovering over their profile in the list and clicking ‘edit’. Or to add a new user simply click the “Add New” button at the top of the screen, you will be redirected to a page which looks similar to the following:

FIll out all of the required fields, username and email are mandatory, but I’d also recommend filling out the users first and last name in case your template shows this in an ‘about the author’ section on the posts they create - a common feature among many WordPress themes.

A secure password will also automatically be generated but you can set your own password for the new user if you wish.

You can choose whether the person you are giving access to will get an email notification about their account (using the checkbox) and you can also set their ‘role’ (see more on this in ‘WordPress Levels of Access’ below). Once you click ‘Add New User’ their account will be activated!

WordPress Levels of Access

When adding a new user or editing an existing user, you will be able to set the ‘role’ of that user’s account. This defines certain actions that they can and cannot take. WordPress by default has 5 user roles: ‘Administrator’, ‘Editor’, ‘Author’, ‘Contributor’ and ‘Subscriber’.

As we have WooCommerce installed on this demo site there are also 2 additional ‘custom roles’ - Shop Manager and Customer (read more about these here).

A summary of the core five WordPress user roles has been collated below so that you can best understand which will be most suitable for the users you are adding:

• Administrator – the most ‘powerful’ user role on a website. The administrator user role allows someone to create whatever content they want, remove content they didn’t create, change the website’s themes, WordPress plugins and adjust all of the website’s settings - we don’t recommend giving this to anyone unless they absolutely need the permissions that will be offered - a developer working on your website would most likely need admin-level access for example.

• Editor – this allows the user to publish, edit and manage their own posts as well as the posts of others. They are not able to change global website settings e.g. install a new theme, but can edit all existing page content.

• Author – this allows the user to publish and manage their own posts but not edit any other users posts. It is useful for allowing guest bloggers you trust to write and publish their own posts on your site without having to worry about them making any changes to the rest of your site’s content or accidentally changing a theme setting.

• Contributor – a contributor can write and manage their own posts as a ‘draft’ but will be unable to publish these on the website. This might be useful for allowing guest bloggers who you have not worked with before to write their content directly into your website’s CMS without it going live. Any content created by a contributor will need to have its ‘status’ set to ‘published’ by an editor or administrator in order for it to be live.

• Subscriber – normally used for user accounts on membership sites. All a subscriber can do is edit their own profile, they are unable to create any content on your website of any form.

From our experience the above user roles are normally more than extensive enough for most cases where access needs to be shared with a third party user. That said, if you are looking to lock down access with more granularity, you may want to create a custom user role…

How to add custom user roles in WordPress

The easiest way to create a custom user role is by installing and activating the ‘User Role Editor’ plugin. To do this, click plugins > add new > and search for ‘user role editor’:

Install and activate the first plugin that comes up - “User Role Editor “ by Vladimir Garagulya. Once activated, if you hover your mouse over the ‘Users’ item in the left hand sidebar, you should now see a new option “User Role Editor”:

Click the link to be redirected to a page that looks like this:

The page may be overwhelming at first, but it’s actually pretty simple! You have a dropdown menu at the top where you can select which user role you want to update the permissions for (in this case ‘Author’). You then have a set of checkboxes which show which actions that user is able to carry out - if ticked, then the user has the permission to perform that action.

For example, looking at the above screenshot, we can see that the ‘author’ user role is currently able to delete posts (delete_posts) and edit published posts (edit_published_posts) but is unable to delete users (delete_users).

In order to make changes to the user role, simply select the checkboxes for the permissions you would like to grant this user role and, deselect the checkboxes to remove specific permissions.

Once you have finished making your changes, click ‘Update’ to set these permissions for the user role you have selected from the dropdown (‘Author’).

If you want to make your own brand new role, just click ‘add role’ and a popup will appear as follows:

Fill in the ‘Role name’ and ‘Display Role Name’ with whatever you want to call the new user role you are creating. You can then either select an existing role you would like to copy the permissions of as a starting point, or leave this as ‘none’ and set each permission manually for the new user. See example below:

After saving the permissions for your new custom role, you will see this as an option available when you add a new user:

Top tip: If you’re serious about setting up more complex custom user roles, we’d suggest creating a test role as well as a user who is assigned with that role to understand the implications of enabling/disabling certain permissions for that user.

Wrapping Up

If you’ve made it this far, hopefully you now understand why, when sharing access to your website, you should do so with ‘user roles’ as opposed to just handing over the admin login credentials. It’s really not as complicated as you might think at first so it is definitely worth doing to protect and secure your WordPress site from unwanted changes.

We hope you’ve found this article useful. If you’re looking to get started with building your very own website, whether that’s using WordPress as a CMS or not, check out some of our hosting plans for WordPress! We look forward to seeing what websites you build…

Frequently Asked Questions