What are roles?
Every user on your WordPress site has a role that determines their access to various parts of the administration area and their actions within it. This is managed through WordPress’s capabilities system—each role is assigned a set of capabilities, such as “edit_posts,” “manage_users,” and “install_plugins.” WordPress comes with several dozen built-in capabilities, and many plugins add extra capabilities tailored to their functionality.
More information on the default WordPress roles and their capabilities can be found in the official documentation.
Why do they matter?
While it may be tempting to grant everyone full access, this approach introduces several unnecessary risks. Instead, each user should be assigned only the minimum permissions needed to perform their duties within the site. Assigning more permissions than necessary:
- May confuse them or make it harder for them to find the functionality they do actually need.
- Could lead to accidental changes they shouldn’t have access to, potentially breaking your site.
- Increases the risk of your site being compromised – for instance, if an Author’s user account is hijacked the worst that can happen is inappropriate or spam content being published on the site. However, if an Administrator’s account is compromised, the entire site could be taken over including all other users losing access.
Assigning roles
Most websites should have only two to three users with the Administrator role, although larger organizations might require a few more. Typically, this includes individuals within your organisation who have primary responsibility for the website, often accompanied by one or two trusted partners, such as Spark, to help manage the site.
Subscribers only have the “read” capability, and can’t do anything in the back-end of the site other than edit their own profile. The Subscriber role is therefore really only useful if your site has a members’ area where content that isn’t publicly accessible is made available to registered users.
The remaining default roles (Contributor, Author and Editor) have varying degrees of access to manage content. Contributors can write content but can’t publish it, and can only edit their own items before they’re published. This is the ideal role for an intern or junior content creator who you want to allow to write blog posts (for example) but ensure that they are reviewed by someone more senior before being published. Authors are also restricted to editing their own content, but have permission to publish them and edit them after they have been published. Editors can review, edit and publish other users’ work as well as their own.
Finally, we strongly recommend doing a regular review (at least every 3 months) of your user records to ensure that they are up to date. This means checking that anyone who has left your organisation no longer has access to the site, and that the roles assigned to the remaining users are still the most appropriate.
Multisite
If your website is a multisite then things are slightly different at the top. Super Admins (also known as Network Administrators) have full administrative control over the entire multisite network and each individual site within it. Administrators on each site within the multisite have slightly more limited capabilities than they would in a single site – for example they can’t install plugins as that is managed at the network level.
The same recommendations for Administrators on a single site apply to Super Admins in a multisite. Depending on the site and organisation structures you may not require additional Administrators on individual sites at all, but you should limit it to 1 or 2 per site.
All other roles work the same way in multisite as they do in a single site setup, so the above recommendations still apply.
Custom roles
If the above roles don’t meet your needs, don’t panic! As with all things WordPress, the roles and capabilities system is almost infinitely extendible so you can create as many custom roles as you need, each with their own unique set of capabilities. There are numerous plugins which make this very easy – we recommend checking out PublishPress Capabilities.
Have further questions on WordPress roles and capabilities? Let us know in the comments!