What Are User Permissions in WordPress? A WordPress Expert‘s Guide

As a webmaster with over 15 years of experience, I‘ve seen hundreds of WordPress sites get hacked due to improper user permissions.

But setting up users and roles the right way can secure your site and prevent catastrophe. This comprehensive guide will explain WordPress permissions so you can safely manage your site‘s users.

Why User Permissions Are Crucial for Security

WordPress powers over 41% of all websites, with millions of sites getting created every day.

With so many WordPress sites out there, hackers are always looking for vulnerabilities. One common target is improper user permissions.

See, WordPress sites have many powerful capabilities like installing plugins, deleting content, and modifying settings. If the wrong person gains access, they can do serious damage.

That‘s why managing users and roles is so important. You want to limit access to only what is needed for each person‘s work.

Proper permissions improve security and prevent unintended mistakes. For example, giving an author access to install random plugins is very risky. But if authors can only publish posts, the site stays much more secure.

Understanding WordPress User Roles

WordPress comes with five default user roles. Each role has specific permissions attached to it:


As the name suggests, administrators have full control over the website. Here are some of their unlimited powers:

  • Install, customize, and delete plugins/themes
  • Add, edit, and remove users
  • Access and change all site content and settings
  • And lots more

With great power comes great responsibility. You should limit admin accounts to only people who truly need it like site owners or managers. Having too many admin users is a security risk.


Editors primarily manage and edit content. They can:

  • Create, edit, publish, and delete all posts, pages, etc.
  • Moderate and manage comments
  • Upload and edit media like images
  • View and access all areas of the site

However, editors can‘t change site settings or install plugins. Those advanced permissions are reserved for admins.


Authors can write and manage their own content. Their permissions include:

  • Create, edit, publish, and delete their own posts
  • Upload files like images for their content
  • View and respond to comments on their posts

Authors cannot edit or delete content created by others. Nor can they modify site settings.


Contributors can write their own content, but not necessarily publish it. For example, they may submit blog posts for review and approval before publication. Here are their permissions:

  • Create and edit their own posts (but not publish)
  • Upload files and images for their posts
  • View and comment on the site like a normal viewer

Contributors cannot edit content from others or access restricted admin areas.


Subscribers are basically site viewers. They can:

  • Read and comment on content
  • Manage their user profile and account details

But subscribers cannot create content or access restricted areas of the site.

Creating Custom User Roles

WordPress‘ default roles cover most basic needs. But for some sites, custom roles make more sense.

For example, a magazine site could use these custom roles:

  • Photographer – Uploads and edits images
  • Writer – Writes content but cannot publish
  • Editor – Reviews and publishes content
  • Advertiser – Accesses ad management areas

With plugins like User Role Editor, you can easily create new roles. Just choose the right mix of capabilities for each one.

Some common custom roles include:

  • Translator – Edits but does not publish content
  • Client – Accesses private information
  • Advertiser – Manages ads
  • Podcaster – Manages podcasts

The possibilities are endless. Set up roles that align with your site‘s needs.

Assigning Roles to Users

The final step is assigning appropriate roles to your users:

  • Site owners, managers get the Administrator role.
  • Department leaders receive the Editor role.
  • Content creators get the Author role.
  • Temporary contributors get the Contributor role.
  • Clients, members are granted the Subscriber role.

When adding new users, take care not to grant unnecessary access. Only assign the permissions needed for their work on the site.

You can change user roles at any time through the WordPress Users menu. Adjust as needs change.

With the proper user roles and permissions, you can manage users while keeping your WordPress site secure. Limiting access prevents both security disasters and unintended mistakes.

I hope this guide gives you a solid understanding of setting up user permissions for a WordPress site. Let me know if you have any other questions!

Written by Jason Striegel

C/C++, Java, Python, Linux developer for 18 years, A-Tech enthusiast love to share some useful tech hacks.