WordPress uses a role-based access control system with predefined roles and granular capabilities. Understanding roles and permissions is essential for secure, efficient user management.
How WordPress Roles Work
Roles vs. Capabilities
- Role - A label (Administrator, Editor, Author, etc.) that groups capabilities
- Capability - A specific permission (edit_posts, publish_pages, delete_users, etc.)
- User - Can have ONE role, which grants multiple capabilities
// Example structure
Administrator Role
├── edit_posts ✓
├── publish_posts ✓
├── delete_users ✓
└── install_plugins ✓
Editor Role
├── edit_posts ✓
├── publish_posts ✓
├── delete_users ✗
└── install_plugins ✗
How Permissions are Checked
// WordPress checks capabilities, not roles
if (current_user_can('edit_posts')) {
// User can edit posts
}
// Multiple users with different roles can have same capability
// Administrator: edit_posts ✓
// Editor: edit_posts ✓
// Author: edit_posts ✓ (own posts only)
Default WordPress Roles
Super Admin (Multisite Only)
Purpose: Network-wide control for multisite installations
Key Capabilities:
- Create, edit, delete sites in network
- Add/remove Super Admins
- Access Network Admin panel
- Install/update themes and plugins network-wide
- Manage network settings
- All Administrator capabilities on all sites
Use Cases:
- Network owner
- Hosting company managing client sites
- Agency managing multiple client sites
Limitations:
- Only available in WordPress Multisite
- Should be limited to 1-2 trusted individuals
- Cannot be assigned via standard UI (requires code)
Granting Super Admin:
// Grant Super Admin (Multisite)
grant_super_admin(123); // User ID
// Revoke Super Admin
revoke_super_admin(123);
// Check if user is Super Admin
if (is_super_admin(123)) {
// User is Super Admin
}
Administrator
Purpose: Full control over a single WordPress site
Key Capabilities:
- Users: Create, edit, delete users and change roles
- Content: Edit/delete all posts, pages, comments
- Appearance: Install/activate themes, customize theme, widgets
- Plugins: Install, activate, deactivate, delete plugins
- Settings: Change all WordPress settings
- Media: Upload, edit, delete all media files
- Tools: Import/export content, update WordPress core
Full Capability List:
activate_plugins
delete_others_pages
delete_others_posts
delete_pages
delete_posts
delete_private_pages
delete_private_posts
delete_published_pages
delete_published_posts
delete_users
edit_dashboard
edit_files (deprecated)
edit_others_pages
edit_others_posts
edit_pages
edit_posts
edit_private_pages
edit_private_posts
edit_published_pages
edit_published_posts
edit_theme_options
edit_themes (dangerous)
edit_users
export
import
install_plugins
install_themes
list_users
manage_categories
manage_links
manage_options
moderate_comments
promote_users
publish_pages
publish_posts
read
read_private_pages
read_private_posts
remove_users
switch_themes
unfiltered_html
unfiltered_upload (dangerous)
update_core
update_plugins
update_themes
upload_files
Use Cases:
- Site owner
- Lead developer
- Agency with full access
Security Notes:
- Limit Administrator accounts to 1-2 people
- Require Two-Factor Authentication
- Regular access reviews
- Never share Administrator accounts
Editor
Purpose: Manage and publish all content on the site
Key Capabilities:
- Content: Create, edit, publish, delete all posts and pages (own and others')
- Categories/Tags: Create and manage taxonomies
- Comments: Moderate all comments
- Media: Upload and manage media library
- Cannot: Install plugins, change themes, modify settings, manage users
Full Capability List:
delete_others_pages
delete_others_posts
delete_pages
delete_posts
delete_private_pages
delete_private_posts
delete_published_pages
delete_published_posts
edit_others_pages
edit_others_posts
edit_pages
edit_posts
edit_private_pages
edit_private_posts
edit_published_pages
edit_published_posts
manage_categories
manage_links
moderate_comments
publish_pages
publish_posts
read
read_private_pages
read_private_posts
unfiltered_html
upload_files
Use Cases:
- Content manager
- Marketing lead
- Editorial director
- Trusted content team lead
Best For:
- Users who need to publish content without technical site access
- Content approval workflow managers
- Users who manage multiple authors
Author
Purpose: Write and publish own blog posts
Key Capabilities:
- Own Content: Create, edit, publish, delete own posts
- Media: Upload files (attached to own posts)
- Cannot: Edit others' posts, manage pages, moderate comments, change site settings
Full Capability List:
delete_posts
delete_published_posts
edit_posts
edit_published_posts
publish_posts
read
upload_files
Use Cases:
- Blog contributors
- Guest writers
- Regular content creators
- Staff writers
Limitations:
- Can only edit/delete own posts
- Cannot create/edit pages
- Cannot moderate comments
- Cannot manage categories/tags
Contributor
Purpose: Write posts but cannot publish without approval
Key Capabilities:
- Draft Content: Create and edit own posts (draft only)
- Awaiting Review: Submit posts for review
- Cannot: Publish posts, upload files, edit published posts
Full Capability List:
delete_posts
edit_posts
read
Use Cases:
- Freelance writers needing approval
- Interns or junior content creators
- External contributors
- Users in content approval workflows
Workflow:
- Contributor writes post
- Sets status to "Pending Review"
- Editor/Administrator reviews
- Editor/Administrator publishes or requests revisions
Limitations:
- Cannot upload images/media (Editor must add)
- Cannot publish own content
- Cannot edit after Editor publishes
Subscriber
Purpose: Minimal access for registered users
Key Capabilities:
- Profile: Manage own user profile
- Read: View content (same as non-logged-in users on public sites)
- Comments: Post comments (if comments enabled)
- Cannot: Access dashboard beyond profile, create any content
Full Capability List:
read
Use Cases:
- Newsletter subscribers
- Membership site members (basic tier)
- Forum participants
- Customers (non-WooCommerce)
- Users who need account but no content creation
Notes:
- Subscribers can access wp-admin (only see profile)
- To prevent wp-admin access, use plugin to restrict
- WooCommerce replaces Subscriber with Customer role
WooCommerce Roles
Shop Manager
Purpose: Manage WooCommerce store without full site access
Key Capabilities:
- Products: Create, edit, delete products
- Orders: View and manage orders
- Coupons: Create and manage discount codes
- Reports: View store reports
- Settings: Modify WooCommerce settings
- Cannot: Install plugins, manage users, access site settings
Full Capability List:
// WooCommerce-specific capabilities
edit_product
read_product
delete_product
edit_products
edit_others_products
publish_products
read_private_products
delete_products
delete_private_products
delete_published_products
delete_others_products
edit_private_products
edit_published_products
manage_product_terms
edit_product_terms
delete_product_terms
assign_product_terms
manage_woocommerce
view_woocommerce_reports
// Plus Editor capabilities
Use Cases:
- Store manager
- E-commerce operations team
- Fulfillment staff
- Inventory manager
Customer
Purpose: WooCommerce purchaser with order management
Key Capabilities:
- Orders: View own order history
- Account: Manage billing/shipping addresses
- Downloads: Access digital product downloads
- Cannot: Access wp-admin dashboard, create content
Full Capability List:
read
pay_for_order (WooCommerce)
view_order (own orders only)
Use Cases:
- Anyone who makes a purchase
- Automatically assigned on first checkout
- Replaces Subscriber role for e-commerce sites
Frontend Only:
- Access via My Account page (/my-account/)
- No wp-admin access
- Profile editable from frontend only
Custom Roles & Capabilities
Creating Custom Roles
Example: Content Reviewer User who can review content but not publish:
add_action('init', 'add_content_reviewer_role');
function add_content_reviewer_role() {
add_role(
'content_reviewer',
'Content Reviewer',
array(
'read' => true,
'edit_posts' => true,
'edit_others_posts' => true,
'edit_published_posts' => true,
'read_private_posts' => true,
// Excluded: publish_posts, delete_posts
)
);
}
Example: Social Media Manager Can edit posts and access appearance menu:
add_action('init', 'add_social_media_manager_role');
function add_social_media_manager_role() {
add_role(
'social_media_manager',
'Social Media Manager',
array(
'read' => true,
'edit_posts' => true,
'edit_published_posts' => true,
'publish_posts' => true,
'edit_theme_options' => true, // For menus/widgets
'upload_files' => true
)
);
}
Modifying Existing Roles
Add capability to Editor:
$editor = get_role('editor');
$editor->add_cap('edit_theme_options'); // Access Appearance menu
Remove capability from Author:
$author = get_role('author');
$author->remove_cap('upload_files'); // Prevent media uploads
Clone and modify role:
// Clone Author to "Staff Writer" with extra capabilities
function create_staff_writer_role() {
$author = get_role('author');
add_role('staff_writer', 'Staff Writer', $author->capabilities);
$staff_writer = get_role('staff_writer');
$staff_writer->add_cap('moderate_comments'); // Extra capability
}
add_action('init', 'create_staff_writer_role');
Important Capabilities
Content:
edit_posts- Edit own postsedit_others_posts- Edit all postsedit_published_posts- Edit published postspublish_posts- Publish posts (vs. draft)delete_posts- Delete own postsdelete_others_posts- Delete all posts
Users:
edit_users- Edit user profilescreate_users- Add new usersdelete_users- Remove userspromote_users- Change user roleslist_users- View user list
Site:
manage_options- Access Settings menuupdate_core- Update WordPress versioninstall_plugins- Add pluginsactivate_plugins- Enable/disable pluginsedit_theme_options- Access Appearance menuinstall_themes- Add themesswitch_themes- Change active theme
Dangerous:
unfiltered_html- Insert HTML/JavaScript in contentunfiltered_upload- Upload any file type (PHP, etc.)edit_themes- Edit theme files directlyedit_plugins- Edit plugin files directly
Checking Capabilities Programmatically
// Check current user
if (current_user_can('edit_posts')) {
// Show edit button
}
// Check specific user
$user = get_user_by('id', 123);
if ($user && $user->has_cap('publish_posts')) {
// User can publish
}
// Check by role
$user = wp_get_current_user();
if (in_array('editor', (array) $user->roles)) {
// User is an Editor
}
// Multiple capabilities (AND)
if (current_user_can('edit_posts') && current_user_can('upload_files')) {
// User can edit AND upload
}
// Check in template
<?php if (current_user_can('manage_options')) : ?>
<a href="<?php echo admin_url('options-general.php'); ?>">Settings</a>
<?php endif; ?>
Role Management Plugins
User Role Editor
Features:
- Visual interface for role/capability management
- Clone roles
- Add/remove capabilities with checkboxes
- Assign multiple roles to user (premium)
- Export/import roles
Installation:
Plugins → Add New → Search "User Role Editor"
Install and activate
Users → User Role Editor
Members
Features:
- Create custom roles
- Edit capabilities
- Content permissions (restrict by role)
- Role hierarchy
Advanced Access Manager (AAM)
Features:
- Granular permissions
- Hide admin menus per role
- Content access control
- API access management
Security Best Practices
Principle of Least Privilege
Assign the minimal role needed:
- Content creator? Author, not Editor
- Store manager? Shop Manager, not Administrator
- Temporary contractor? Time-bound access with review date
Protect Administrator Role
// Limit Administrator accounts
// Require 2FA for Administrators
// Log Administrator actions
// Example: Prevent role changes by non-super-admins
add_filter('editable_roles', 'hide_admin_role_from_editors');
function hide_admin_role_from_editors($roles) {
if (!current_user_can('update_core')) {
unset($roles['administrator']);
}
return $roles;
}
Dangerous Capabilities to Avoid
Unless absolutely necessary, don't grant:
unfiltered_html- XSS riskunfiltered_upload- Malware upload riskedit_themes- Site breakage riskedit_plugins- Code injection riskupdate_core- Accidental updates
Regular Audits
// List all users with Administrator role
$admins = get_users(array('role' => 'administrator'));
foreach ($admins as $admin) {
echo $admin->user_login . ' - ' . $admin->user_email . '<br/>';
}
// Find users with dangerous capabilities
$users = get_users();
foreach ($users as $user) {
if ($user->has_cap('unfiltered_html')) {
echo $user->user_login . ' has unfiltered_html capability<br/>';
}
}
Multisite Role Considerations
Site-Specific Roles
Users can have different roles on different sites:
// User 123 on Site 1: Editor
// User 123 on Site 2: Author
// User 123 on Site 3: No access
// Add user to specific site with role
add_user_to_blog(2, 123, 'editor'); // Site 2, User 123, Editor role
// Remove user from site
remove_user_from_blog(123, 2);
// Check user role on specific site
$user = new WP_User(123, '', 2); // Site ID 2
if ($user->has_cap('edit_posts')) {
// User can edit posts on Site 2
}
Network-Wide Capabilities
Super Admin capabilities work across all sites in network.
Troubleshooting Role Issues
User Can't Perform Expected Action
Debug user capabilities:
// Show all capabilities for current user
$user = wp_get_current_user();
echo '<pre>';
print_r($user->allcaps);
echo '</pre>';
Role Changes Don't Take Effect
Solutions:
- Clear caches (browser, object cache, page cache)
- Log out and log back in
- Check for role override plugins
Capabilities Missing After Plugin Deactivation
Some plugins add capabilities that persist. Remove manually:
// Remove custom capabilities
$role = get_role('editor');
$role->remove_cap('custom_plugin_capability');
Next Steps
- Adding & Removing Users - User management workflows
- WordPress User Management - Overview and best practices
- WordPress Codex: Roles and Capabilities