WordPress User Roles (and why they matter)

WordPress has a user role system which defines what a user can and cannot do on your website. Knowing these user roles and their capabilities is essential to understand as your WordPress site and team grows. 

When giving people access to your website, it’s important to maintain full control, while still allowing your team members and contractors to do their jobs effectively. By assigning your team relevant user roles, you ensure that no one is given more “power” than they need. This also helps make your website more secure. 

In this article, we’ll look at the different user roles that WordPress and WooCommerce give you access to, what these user roles mean, and other best practices for website security.

WordPress User Roles and Capabilities

At a simple level, user roles are just a collection of different actions (called capabilities) that a user with an assigned role is allowed to perform.

For example, the ability to publish a WordPress blog post is one “capability”, while the ability to install a new plugin is another “capability”.

The default WordPress user roles

Out of the box, WordPress includes five different user roles. It is important to understand each role and the level of access a role gives a user, if you want to protect your site and ensure your team works more effectively. If you don’t know how to add a new user, you can find out how in this post “How To Add A New WordPress User.”

Let’s take a look at each of these roles and see what the WordPress dashboard looks like from the perspective of each role.

1. Administrator

As the website owner, this is the role assigned to you by your web developer, or the default user role when you created your website. The administrator is at the very top of the hierarchy and they are able to access all the functions of the WordPress back-end.

(If you’re running a Multi-site installation, there is an additional user role which is called ‘Super Admin’ which is not discussed in this article). 

Administrators are able to do everything. This user role can:

• Create, edit, and delete any content
• Add, edit and delete user accounts
• Manage plugins and themes
• Customise theme design and layout
• Add code

An Administrator is the most powerful user role and should rarely be assigned to any other person. If you give someone else this user role, you’re essentially giving them the keys to the castle. So be careful!

2. Editor

As the name of this user role suggests, an editor is generally responsible for managing content and thus has a high level of access. They can create, edit, delete, and publish both pages and posts – even those belonging to other users.

An editor can also:

• Moderate comments
• Manage categories and links

However, they cannot make site-wide changes such as adding plugins and themes or installing updates. Instead, they are responsible for overseeing the work of authors and contributors.

3. Author

An author has far fewer permissions than editors. They cannot edit pages and are unable to alter other users’ content. In addition, they lack any sort of administrative capabilities.

What they can do is create, edit, delete, and publish their own posts (and upload media files). This makes their role pretty clear – authors are responsible for creating content, and nothing more.

4. Contributor

The contributor role is essentially a stripped-down version of the author role. A contributor is only able to perform three tasks – reading all posts, as well as deleting and editing their own posts. This role is quite limited since it doesn’t enable users to publish posts or upload media files. However, it’s ideal for one-time and new content creators.

5. Subscriber

Subscribers have only one main capability and their WordPress dashboard is usually incredibly bare. They can read all posts on the site (as well as manage their own profiles). Normally, anyone can read posts without being assigned a role, so not all sites will use this option. However, it comes in handy for subscription-based sites, where you want to enable access to content only for certain people.

WooCommerce User Roles and Permissions

When you install the WooCommerce plugin, you’ll gain two additional user roles:

• Customer: Assigned to new customers when they create an account on your website. This role is basically equivalent to that of a normal blog subscriber, but customers can edit their own account information and view past or current orders.
• Shop Manager: This allows the user to run the operations side of your WooCommerce store without the ability to edit back-end functionality like files and code. A manager has the same permissions as a customer, plus they’re also granted the ability to manage all settings within WooCommerce, create/edit products, and access all WooCommerce reports. Important: They ALSO have access to the WordPress editor capabilities mentioned above.

WooCommerce also offers additional capabilities that allow an Administrator to:

• Manage all WooCommerce settings
• Create and edit products
• View WooCommerce reports

When to Use the Shop Manager Role

Assign the Shop Manager role when:

• You want to allow a user to manage orders, issue refunds, and produce reports, without being able to edit plugins, themes, or settings on your site.
• You want to allow a user to view and update orders and products, but not access your user settings (they won’t be able to add/edit user roles and permissions).

When to Use the Administrator Role

There might be instances when you need to give another user an Administrator role on your site.

Examples of admin users:

• Website Developer
• Website Designer
• Social Media Marketing Agency
• Digital Marketing Agency

Typically, people in these roles need access to more extensive WordPress features and settings in order to carry out projects on your website.

You’ll want to be extremely careful with this since Administrator is the most powerful role on your store.

Best Practices for User Permissions

• Only provide users with the access they need. This is important for security, to prevent users from making unapproved changes, and prevent content from being accidentally deleted.
• Limit the number of users that have an Administrator role. Many vendors may request this role, but few actually need such an advanced level of access. Before granting the request, carefully reconsider the job functions they’ll be performing and see if a lower level of access would be sufficient.

Website Security Best Practices

Adding users to your website requires additional security measures – the more users you have, the more risk you take on.

Regularly Review Roles

Periodically review user roles, especially for Administrators. You may need to assign them a new role or remove their account entirely.

For example, if you stop working with an agency or developer, make sure to remove their account from your website so they no longer have access to it. The same thing applies to other user roles.

No user should have access to your site unless they currently need it.

This is also true for your hosting and domain name accounts. If you gave someone access to your login information and you’re no longer working with them, change your password.

If, at any point, you provided FTP credentials to a developer so that they could manage your website files, make sure to update or delete those credentials entirely. Remember: Website professionals can still get access to your website through your hosting account information or FTP credentials.

Regularly Create Backups of Your Website

Creating regular backups of your website and online store is extremely important, not only for security but for peace of mind.

If a user ends up making unapproved changes to your site or if your site becomes compromised, it’s imperative to have a copy on hand so you can restore it to its original state.

It’s important not to rely on the free backups that your web hosting provider includes. You should have full control over your files and backups, as many hosts only keep backups for 48 hours. You may also want to keep backups independent of any accounts you may have shared access to.

To find out how to back up your website you can learn more in our post on this topic HERE.

How to apply user roles effectively on your website

Understanding the various user roles is important, but so is knowing how to apply them correctly. Every site is a little different, but here are a few tips for making the best use of this feature:

Give each user only the level of access they need. This is key for security, so no one can make unapproved changes or delete content accidentally.

Needless to say, never EVER give your admin user logins to someone else. Always create a new user role for each person you allow access to your website so you can change their access level later if needed, or remove them.

The Author role can be assigned to regular content creators who have proven themselves, and new or one-time writers can simply be given the contributor role.

And always remember – when in doubt, it’s better to assign too few permissions than too many.

Conclusion

The key to managing an effective team is clearly defining each person’s role and responsibilities. Fortunately, WordPress offers a built-in way to do this. Through careful use of WordPress user roles, you can enhance security and efficiency on your site.