While it may have started as a blogging platform, WordPress has long since morphed into a full-functioning content management system. Part of what makes it full-functioning is a robust system of WordPress roles and capabilities that help you control exactly what registered users can do at your site.
Whether you’re working with a team of authors or creating some type of site that accepts public registration, understanding WordPress roles and capabilities is essential if you plan to give anyone else the ability to register at your site.
To help you learn how to make WordPress roles and capabilities work for you, I’m going to cover three topics in this post:
- A deeper explanation of what roles and capabilities are, and how they connect
- How to create your own WordPress roles and/or edit existing roles
- A real-life use case of how a “typical” WordPress site might implement roles and capabilities for content publishing
While it’s a dry topic, I’ll try to make things as helpful and actionable as possible. Let’s dig in…
What Are WordPress Roles and Capabilities? Explained in More Detail
Before talking about what roles are, let’s start with capabilities. You’ll see why in a second.
A capability is a specific action/permission at your WordPress site. Think of it as something that a user can “do” or “see”.
Examples of capabilities are:
- Installing a plugin
- Creating a new post
- Publishing a post
- Editing someone else’s post
- Changing a WordPress theme
- Viewing private posts
Each action/permission is a unique capability. As you can imagine, there are hundreds of capabilities that might be associated with your WordPress site.
To control which capabilities a user has access to, you can use roles.
A role is basically a collection of capabilities that you can easily assign to a user. Every user account at your site is assigned a role, and that role controls the capabilities that each user has.
For example, one role might give a user fifteen different capabilities, while another might only give a user two or three capabilities.
You can edit a user’s role from the Users tab in your WordPress dashboard:
You can also set the default WordPress role for new users by going to Settings → General.
How Do Roles and Capabilities Help You?
Let’s say you have a third-party author at your site.
You want that person to be able to create new content in the WordPress editor because it’s a pain to have to manually input the content yourself.
But at the same time, you probably don’t want them to be able to install new plugins or change your site’s theme, right? Even if you completely trust them, you still don’t want them being able to change that stuff because they might accidentally break something.
Roles and capabilities let you give that person only the very specific permissions they need to do their job…and nothing else.
Not only does this help you keep your site functioning smoothly, but it also helps you implement a security approach known as the principle of least privilege.
WordPress Comes With Its Own Set of Roles and Capabilities
By default, single site WordPress installs come with 5 roles and a range of capabilities for core WordPress actions and permissions. Those roles are:
- Administrator – this is the default role assigned to you when you create a WordPress site. Administrators can perform all actions, including installing new themes and plugins.
- Editor – can edit all posts/pages but cannot work with plugins, themes, etc.
- Author – can create, edit, and publish their own posts, but cannot edit other people’s content.
- Contributor – can create their own content, but cannot publish it or upload their own media files.
- Subscriber – can manage their profile information, but cannot perform any other actions. This is the role for new user accounts by default, though you can change that.
You can view all the default capabilities, as well as see which capabilities are accessible to each default role, in the capability vs role table at WordPress.org.
If you’re running a WordPress Multisite network, WordPress adds a sixth default role – Super Admin. Super admins also get new capabilities to access all the network settings and edit individual network sites.
Plugins Can Add Their Own Roles and Capabilities
Depending on the plugins that you use, you’ll probably have additional actions that users can take. For example, if you use WooCommerce to create an eCommerce dropshipping store with WordPress, you’ll have tons of new permissions related to your site’s eCommerce functionality.
To handle such situations, many plugins will create their own roles and/or capabilities.
For example, WooCommerce adds two new user roles:
- Customer – the default role for shoppers. They can manage their past/present orders and edit account information, but that’s it.
- Shop Manager – this role lets people manage your store without requiring you to give them admin access.
WooCommerce also adds new capabilities for actions like editing WooCommerce settings and viewing WooCommerce reports.
Many other plugins perform something similar. For example, an event calendar plugin might give you new capabilities to control who has the ability to create new events or edit existing events.
Finally, you can also create your own WordPress roles and capabilities, which brings me to the next section of this post…
How to Create Your Own WordPress Roles and Capabilities
While the default WordPress roles are helpful, you might prefer to set up your own system of roles that perfectly matches your site’s workflows.
For example, a lot of webmasters like the “Contributor” role because it doesn’t let people publish new content. But at the same time, contributors cannot upload their own media files, which can be overly restrictive. To fix that, you could create your own role that mimics the contributor role, but with the added ability for those users to upload their own files.
There are two ways that you can create your own system of WordPress roles and capabilities:
- With a plugin – I like the free User Role Editor plugin.
- Manually with your own code – it’s surprisingly simple.
I’ll cover both…
How to Use the User Role Editor Plugin
My preferred method for working with WordPress roles and capabilities is the free User Role Editor plugin at WordPress.org.
It gives you a visual interface where you can edit the capabilities for existing WordPress roles and/or create your own roles and grant them a unique set of capabilities.
Once you install and activate the plugin, you can go to Users → User Role Editor to get started.
There, you’ll see a list of capabilities, along with filters on the side to help you find specific capabilities. To add or remove a capability for your chosen user role, you just need to check (or uncheck) the box.
To control which user role you’re working with, you can use the drop-down at the top to select from existing roles or click the Add Role button on the right to create your own custom role:
Another helpful thing the User Role Editor plugin lets you do is to assign multiple user roles to a single user and/or to assign specific capabilities directly to an individual user (rather than granting them via a role).
You’ll be able to take advantage of these features when you edit a user’s profile:
How to Manually Create WordPress User Roles and Define Capabilities
If you’re more of a DIY-type, you can also create your own user roles and define capabilities using a relatively simple code snippet.
You’ll want to add this code snippet to your child theme’s functions.php file or to a plugin like Code Snippets.
$result = add_role( 'example', __(
'edit_posts' => true, // Gives users the ability to edit their own posts
'create_posts' => true, // Gives users the ability to create their own posts
To add additional capabilities, you can add new lines to the array. You can find a full list of all the default capabilities here, and usually plugin developers include lists of their plugins’ capabilities in the support documentation.
An Easy Way to Test User Roles
Once you’ve created your custom user roles and capabilities via one of the methods above, you’ll probably want to test them to make sure the capabilities are functioning as you intended.
The easiest way to do this is to create different accounts with various user roles and log in to each account to see what that account can do.
To save some time here, there’s a really neat free plugin named User Switching that lets you seamlessly switch between different user accounts right from your WordPress dashboard without needing to keep logging in and out.
An Example WordPress User Access Permission System in Action
At this point, everything I’ve talked about has been fairly theoretical. To finish out this post, let’s talk about how you might actually go about implementing WordPress user roles and capabilities on a typical website.
Let’s say you have a team of:
- Developers, who need full access to work with plugins and themes.
- Contributors who create content.
- Editors/management who need to approve all content before it goes on the public site.
For developers, you could give trusted developers admin access, though you’ll still want to limit admin access as much as possible.
For content contributors, you might be tempted to give them the Author user role. However, by default authors have the capability to publish their own content, which isn’t great because you don’t want contributors to be able to bypass the review process.
To fix this, you could either create a custom user role, or simply edit the default Author user role and remove the capabilities for:
Contributors will still be able to create new content and upload images – they’ll just need to submit that content for review before it’s published on the live website.
Finally, to let your editors/managers review that content without giving them full administrator access, you could create Editor role accounts for them.
With an Editor account, they’d be able to publish pending content and edit contributors’ content, but they wouldn’t be able to install plugins, change your theme, or perform any other actions that might “break” your website.
Recapping WordPress Roles and Capabilities
WordPress roles and capabilities help you control what actions each user can perform at your site.
If you allow public registration, understanding roles and capabilities is important to ensure that each user can perform the actions they need…but nothing more.
WordPress ships with its own system of roles and capabilities by default, and many WordPress plugins will also add their own roles and capabilities. If you still need more flexibility, you can also create your own custom roles and capabilities as needed using a plugin or your own code.
Do you have any further questions about working with WordPress roles and capabilities? Leave a comment and let us know!