What Are WordPress User Roles?
WordPress user roles are preset permission levels that control what each person can do on a site. WordPress ships with five main roles: Administrator (full control), Editor (manages all content), Author (writes and publishes their own posts), Contributor (writes but cannot publish), and Subscriber (reads and manages their own profile). Each role is a bundle of individual capabilities. Assigning the lowest role that lets someone do their job limits accidental damage and security risk, which is why role management is a core part of running a safe, multi-user WordPress site.
- Default roles
- Administrator, Editor, Author, Contributor, Subscriber (WordPress Developer Resources)
- Built on
- Capabilities — granular permissions like edit_posts or manage_options bundled per role
- WooCommerce adds
- Customer and Shop Manager roles on stores running WooCommerce
- Multisite adds
- A Super Admin role that controls the entire network of sites
- Best practice
- Grant the least privilege needed; limit Administrators to a trusted few (principle of least privilege)
What roles and capabilities mean #
A WordPress user role is a named set of permissions that decides what a logged-in person can see and do in the dashboard. Under the hood, each role is a collection of capabilities — small, specific permissions such as edit_posts, publish_posts, delete_pages, install_plugins, or manage_options. When you assign someone the Editor role, you are really granting them the bundle of capabilities that role contains. This design lets WordPress control access without you configuring dozens of switches per person. It matters because most sites eventually have more than one user: a business owner, a marketer, a freelance writer, maybe a developer. Giving each the right role keeps the site organized and safe, since a writer cannot accidentally delete plugins and a subscriber cannot edit pages. Proper role setup is a foundational part of the secure builds we deliver through /services/wordpress-development and the ongoing account hygiene we maintain under /services/care-plans for clients with growing teams.
The Administrator role #
Administrator is the most powerful default role and effectively owns the site. Admins can create and delete users, change any user's role, install and remove plugins and themes, edit any content, modify site settings, and — on non-multisite installs — edit core files through the dashboard. Because this role can do everything, it is also the most dangerous in the wrong hands: a compromised admin account gives an attacker total control, and a careless admin can break the site with a bad plugin or setting change. The rule of thumb is to keep the number of administrators as small as possible, ideally one or two trusted people, and never share a single admin login among a team. Each person should have their own account at the lowest role that fits their work. Limiting admin accounts is one of the simplest, highest-impact security measures, and it is a standard part of the hardening our /services/website-security team applies to every site we manage.
Editor, Author, and Contributor roles #
These three content roles form a clear hierarchy. An Editor manages all content across the site — they can write, edit, publish, and delete any post or page regardless of author, moderate comments, and manage categories and tags, but they cannot touch plugins, themes, or core settings. This makes Editor ideal for a content manager or senior marketer. An Author can write, edit, publish, and delete only their own posts, and upload media, but cannot alter anyone else's work. That suits a regular staff writer you trust to publish independently. A Contributor can write and edit their own posts but cannot publish them or upload files — their drafts wait for an Editor or Admin to review and publish, which is perfect for freelancers or guest writers who need oversight. Choosing correctly among these three covers most editorial teams. When we set up multi-author blogs as part of /services/content-marketing, matching each person to the tightest fitting role keeps the workflow smooth and safe.
The Subscriber role and membership uses #
Subscriber is the most limited default role. A subscriber can log in, read content, and manage their own profile — nothing more. On its own that sounds useless, but it underpins many common features. Sites that require registration to view certain content, leave comments, or receive members-only updates assign new registrants the Subscriber role by default. Membership and e-learning plugins build on it, layering custom capabilities so subscribers can access courses or gated pages without gaining any editorial power. E-commerce sites running WooCommerce use a similar Customer role so buyers can view their orders and manage addresses while remaining locked out of the admin. The key point is that Subscriber is a safe default for anyone who is a visitor rather than a staff member. If your site offers accounts, gated content, or a client area, subscribers or a custom equivalent are the right starting role — and we build secure login areas like this through /services/client-portals for businesses that need them.
Roles added by WooCommerce and multisite #
The five defaults are not the whole story. Installing WooCommerce adds two roles: Customer, given to shoppers so they can manage their own orders and account details, and Shop Manager, a powerful role that can manage products, orders, and store settings without gaining full site-administration rights. Shop Manager is ideal for staff who run the store day to day but should not install plugins or edit the whole site. WordPress Multisite — a network of sites under one installation — introduces the Super Admin role, which controls the entire network, manages all sites, and installs network-wide plugins and themes, sitting above individual site administrators. Many plugins also register their own custom roles or add capabilities to existing ones. This is why real-world sites often have more than five roles, and why reviewing exactly who can do what becomes important as a site grows. On e-commerce projects delivered through /services/ecommerce-development, correctly scoping Shop Manager access is a routine but important step.
Changing a user's role in practice #
You assign or change roles from Users in the WordPress dashboard, either when creating an account or by editing an existing user and selecting a new role from a dropdown. Developers can also set or modify roles and capabilities in code, which is useful for automation or custom roles. Here are common programmatic approaches using WP-CLI and PHP.
# Create a user with the editor role
wp user create jane [email protected] --role=editor
# Change an existing user's role
wp user set-role 12 author
# In PHP: give an existing user a role
$user = new WP_User( 12 );
$user->set_role( 'contributor' );Security risks of poor role management #
Sloppy role assignment is a quietly common security weakness. The biggest mistake is handing out Administrator accounts freely — to a freelancer who only writes posts, a marketer who only needs Editor, or worse, sharing one admin login across a team so no action can be traced to a person. Each unnecessary admin account is another target; if any is phished or reused with a breached password, the whole site falls. Dormant accounts from former staff or contractors are another risk, since they linger with live access nobody remembers. Good practice is to audit users regularly, remove accounts that are no longer needed, enforce strong unique passwords and two-factor authentication on high-privilege roles, and always assign the least privilege that lets someone do their job. These habits are part of the layered protection we apply through /services/website-security, and a periodic user audit is something a business can request during a checkup at /free-website-audit to catch over-privileged or forgotten accounts.
Best practices for a multi-user site #
Running a healthy multi-user WordPress site comes down to a few disciplined habits. Apply least privilege: start everyone at the lowest role that fits and elevate only when a real need appears. Keep administrators to a trusted minimum, ideally one or two, and never share logins — individual accounts preserve accountability and make it easy to revoke access when someone leaves. Use custom roles or a role-editor plugin when the defaults do not fit, for example a client who should edit pages but not install plugins. Review your user list on a schedule, removing former staff and stale contractor accounts promptly. Require strong passwords and two-factor authentication on any account above Subscriber. Document who has what access so the setup does not live only in one person's memory. These practices scale from a two-person shop to a large editorial team. For businesses that would rather not manage this themselves, our /services/care-plans include ongoing user and access oversight as part of routine maintenance.
Auditing and tightening access over time #
User roles are not a set-and-forget decision; they need periodic review as your team and site evolve. People join, change responsibilities, and leave, and each of those events should trigger a role adjustment or account removal. A quarterly audit is a practical habit: list every user, confirm each still needs their access, downgrade anyone over-privileged, and delete accounts for departed staff or finished contractors. Pay special attention to administrator accounts, since those carry the most risk, and confirm high-privilege users have strong unique passwords and two-factor authentication enabled. Watch for accounts created by plugins or integrations that may hold broad permissions. Documenting who has what access, and why, keeps the setup from living only in one person's memory. This ongoing discipline prevents the slow accumulation of forgotten, over-powered accounts that attackers love to find. For businesses that would rather not track this manually, our /services/care-plans include routine user reviews, and a checkup at /free-website-audit can surface stale or over-privileged accounts you may have lost track of.
FAQ
What are the five default WordPress user roles?
Administrator, Editor, Author, Contributor, and Subscriber. Administrator has full control; Editor manages all content; Author writes and publishes their own posts; Contributor writes but cannot publish; Subscriber can only read and manage their own profile. Each role is a preset bundle of specific capabilities that determine what the user can do.
Which role should I give a freelance writer?
Usually Contributor or Author. Choose Contributor if you want to review and publish their drafts yourself, since contributors can write but not publish or upload files. Choose Author if you trust them to publish independently, as authors manage only their own posts. Avoid giving writers Administrator or Editor access.
How many administrators should a site have?
As few as possible — ideally one or two trusted people. Every admin account can install plugins, delete content, and change settings, so each one is a security risk if compromised. Give other team members lower roles that fit their work, and never share a single admin login across multiple people.
Can I create custom user roles?
Yes. You can add roles and adjust capabilities with code using add_role() and add_cap(), or with a role-editor plugin for a visual interface. Custom roles are useful when the defaults do not fit, such as a client who should edit pages but not install plugins or change site settings.
What roles does WooCommerce add?
WooCommerce adds Customer and Shop Manager. Customer is assigned to shoppers so they can view their own orders and manage account details. Shop Manager can manage products, orders, and store settings without full site-administration rights, making it ideal for staff who run the store but should not control the whole website.
Why does role management matter for security?
Because over-privileged and forgotten accounts are common attack paths. Too many administrators, shared logins, and stale former-staff accounts all increase risk. Assigning least privilege, limiting admins, removing unused accounts, and enforcing strong passwords with two-factor authentication on higher roles dramatically reduces the chance that one compromised account brings down the whole site.
How Local Web Advisor checks this for you
Is your own website getting web dev right?
Our free AI audit scans your site and tells you — in plain English — exactly what to fix for web dev and seven other areas, with the business impact and the fix for each. No login needed to start.
Run my free website audit →Was this helpful?