Master WordPress User Roles and Capabilities

When you are running a WordPress website alone, you don’t have to think about user roles. However, in case you need to give other people access to your site, it’s essential that you are aware of what user roles are and how to manage them correctly. 

If you want to be effective as an administrator of your WordPress site(s), you need to know what a user is, how to make new users, and why you need them. The goal of this post is to help you understand the whole picture of WordPress user management and how the entire user role system works. Additionally, we are going to cover some of the ways to modify that role system.

Table of Contents:

• The Basics of WordPress User Roles and Capabilities
• Why WordPress User Roles are Important
• The 6 Predefined WordPress User Roles
• Register New WordPress Users and Assign Roles
  • How to Create Default WordPress User Roles
  • How to Modify Existing User Roles Using a Plugin
  • How to Create Custom WordPress User Roles Using a Plugin
  • How to Create Custom User Roles Manually
• WordPress Default User Capabilities
  • How to Manually Define User Capabilities
  • How to Customize a Specific User’s Capabilities
• How to Test User Roles
• How to Apply User Roles Effectively on Your Website

The Basics of WordPress User Roles and Capabilities

Each account that is able to log into a WordPress site is a “user.” User accounts have permissions to be authors of posts, pages, media, etc. As a WordPress administrator, you have the power to create new users and manage (change) their capabilities whenever you want.

The “capability” is the individual action that a specific user role is allowed to perform. For a deeper look at this concept, you may check the Capability vs. Role Table section at the WordPress Codex.

Additionally, every WordPress user has a “role”, which you have to select while you are creating the new account.

Why WordPress User Roles are Important

A good example to use here is having a third-party content creator on your website. For that user, you would want to have certain capabilities like content creation available, but perhaps limit their access to just that. You don’t want such users to have the option to install plugins, change themes, or maybe even publish their own posts. 

Managing WordPress roles and capabilities lets you give a user only the very specific permissions they need to do their job. This helps your site run smoothly, additionally making it more secure by using the approach known as the principle of least privilege.

The Administrator role is the most powerful one on a single WordPress website. Giving that role to someone that only needs publishing and editing capabilities is unnecessary and not optimal in terms of security. When it comes to regular publishing tasks, an Editor role is more than fitting. What’s more, if the user only needs to write and publish posts, the Author role is just the right choice for them. The Administrator role is needed only when you need to do what other roles can’t, namely, install (or uninstall) plugins or themes, change themes, create new users, etc. The principle of least privilege exists for a reason – maximum security.

The 6 Predefined WordPress User Roles

The list of default user roles and capabilities is available on the WordPress Codex. Out of the box, WordPress comes with six roles:

• Super Administrator. This is a role that exists only for multi-site networks. It’s a more powerful version than an Administrator. The super admin has the capability to change and control all WordPress sites in the multi-site network, as well as decide who has all the specific types of access to each one of those websites.
• Administrator. This is the user role every WordPress site owner uses when logging into their website. It’s the first user role that the CMS makes by default. The Administrator is the most powerful role when it comes to a single WordPress site. WordPress Admins stand at the top of the pyramid, and if there is something they cannot do, then no other users can.
• Editor. The user role just beneath Administrator is Editor. If you are an editor of a WordPress site, you will be able to work with posts, pages, and media and manage them in every way possible. However, you don’t have the capability to make new users, add themes and plugins, or change anything that affects the website’s functionality.
• Author. Right below the Editor is the Author. This role is limited to changing only their own posts and media. WordPress Authors don’t have the capability to change content that was created by other users.
• Contributor. Contributors can only edit their posts, delete their unpublished posts, and read the site. They don’t have publishing capabilities.
• Subscriber. This role is meant for people that you just want to have an account on your WordPress site. They have only a single capability – to read your website the same way someone without an account can.

Of course, WordPress being awesome, does not limit us to use only its default roles and capabilities. As a WordPress user or developer, you may change the default roles and capabilities, as well as create new specific ones. In general, you can get a whole lot more than what’s offered out of the box from the WordPress user management system.

Register New WordPress Users and Assign Roles

How to Create Default WordPress User Roles

To register a new user with a default WordPress role, you just need to go to User → Add New in your WordPress Admin sidebar:

How to Modify Existing User Roles Using a Plugin

Default WordPress user roles are made to cover most of the capabilities needed when running a website. However, you can choose to modify those default roles, giving them specific capabilities.

The Author is one of the roles you may not like in its default version. Yes, authors are perhaps a trustworthy person, but having the capability to delete their own posts can be quite risky.

There is a way to modify an existing role. For example, you can remove the post deleting capability for the authors. As you know, there’s a WordPress plugin for just about anything you can think up, and user roles are no exception. There’s an easy way to do that:

• Start by installing and activating the PublishPress Capabilities plugin:

• After you have activated the plugin, click on Edit Roles in order to modify user roles:

• Select the user role that you wish to edit. You can do that from the top box in the right column:

• Click the Load button.
• This will load users capabilities in the boxes on the left:

• Uncheck the capabilities that you want to remove from that user role, or add some if you think it’s necessary.

How to Create Custom WordPress User Roles Using a Plugin

Using the same PublishPress Capabilities plugin, you are able to create your custom WordPress user roles with their specific capabilities.

After you have the plugin installed and activated, go to Users → Capabilities and enter your desired user role under Create New Role:

A common role that blogs and websites need is the Comment Moderator.

As you can see from the screenshot above, you can also use the plugin to copy another role with its capabilities, rename an existing role, as well as create custom capabilities. 

How to Create Custom User Roles Manually 

In case you are a DIY type and don’t want to put your trust in plugins, you can create custom user roles with their specific capabilities manually. 

In order to manage roles and capabilities effectively, there are five very straightforward functions:

• add_role(): Enables you to add a custom role.
• remove_role(): Enables you to remove a custom role.
• add_cap(): Enables you to add a custom capability to a role.
• remove_cap(): Enables you to remove a custom capability from a role.
• get_role(): Gets information about a role as well as the capabilities associated with the role.

For this article, we are going to create a custom user role using the add_role function. There are three parameters:

• A slug-like name for the role (e.g., ‘comment_moderator’);
• A display name for the role (Comment Moderator)
• List of the capabilities you want the type of user to have;

Here’s an example of how such PHP lines of code should look like:

add_action('init', 'wps_add_roles');
function wps_add_roles() {
    add_role( 
        'comment_moderator',
        __('Commment Moderator'), 
        array( 
            'read' => true,
            'edit_posts' => true,  
            'edit_other_posts' => true,
            'edit_published_posts' => true,
            'moderate_comments' => true
        )
    );
}

Again, the role only gets its necessary capabilities – moderating comments, editing posts (own posts, other users’ posts, and published posts), and reading the website.

New roles are being stored in the database and reloaded from there by WordPress when needed. You can have them created right when your plugin is activated. It should not break anything if you have the roles hooked to the init action, but does not perform as well. 

WordPress Default User Capabilities

There are two types of WordPress user capabilities, both of them distinctive from one another:

• Meta Capabilities – depend on the context. Example: a user can edit a post if she’s the post author (edit_post meta capability)
• Primitive Capabilities – don’t depend on the context. Example: a user has the capability to edit posts created by other users (edit_other_posts primitive capability)

WordPress automatically translates meta capabilities into one or multiple primitive capabilities for regular posts. That said, when using post types, you need to manually map meta capabilities to primitive capabilities.

See the WordPress Codex for a thorough list of its built-in capabilities.

How to Manually Define User Capabilities 

In PHP, WordPress roles are objects that you use and modify. A WordPress role is accessible in one of two ways: via the global variable $wp_roles, or by using an accessor function – get_role.

Let’s say you want to add the capability for editors to remove users. Here is how you do it via the global variable $wp_roles:

function wps_editor_can_remove_users(){
    global $wp_roles;
    $wp_roles->add_cap( 'editor', 'remove_users' );
}
And here is the get_role option:
function wps_editor_can_remove_users() {
    $editor = get_role( 'editor' );
    $editor->add_cap( 'remove_users' );
}

In the second example, the fetch of a role (‘editor’) takes care of the ‘editor’ parameter on the add_cap method call. You can call both methods directly in your plugin or theme’s functions.php file.

How to Customize a Specific User’s Capabilities

Here, we will be a bit more specific by narrowing down the capabilities for a specific user, and not to the entire user role. If you want to be in full control of your website and keep things strict, changing the capabilities for specific users is recommended. This method is better if you want to be more flexible with your user roles in general. Sometimes you may want to add or remove capabilities when it comes to a specific user, knowing that you will not do that for anyone else in that same user role. 

To change a specific user’s capabilities, you can use the methods add_cap and remove_cap on the said user. Here is an example:

add_action( 'init', 'wps_david_cant_edit' );
function wps_david_cant_edit() {
    $user_id = 13; // The ID of the user
    $user = new WP_User( $user_id );
    $user->remove_cap( 'edit_posts' );
}

This is an override on a specific user after the general capabilities of the user role have been loaded.

How to Test User Roles

After you have created your own custom WordPress user roles and capabilities by using the methods in this post, you will perhaps want to test things out. Making sure that everything works well for all users is a part of your job as a WordPress administrator. 

The easiest method for testing your custom user roles and capabilities is by creating multiple different accounts with various user roles, After you do that, log into each one of those accounts to check if all their capabilities are working correctly.

If you wish to save some time, consider using the free plugin User Switching. It lets you switch between user accounts quickly, and you can do that without having to log in and out for each user account you are testing. The plugin is conveniently available in the official WordPress plugin repository.

How to Apply User Roles Effectively on Your Website

It’s important to understand user roles, but it’s just as important to know how to apply them properly.

We are aware that every WordPress site is different, but here are some general tips for making the best of the user roles system:

• Give users only the needed capabilities. This is mandatory when you want your site and its content to be secure, ensuring that no user can make unapproved changes.
• Keep the number of privileged users as limited as possible. If you can, stick with a single Administrator (you) and a few editors. Give the Author role to users that have proven themselves trustworthy, and save the Contributor role for newbie content creators.
• Use plugins to customize user roles. The default system is effective, but user role plugins help you create your own specialized user roles, alter the existing ones, and more.

Remember that it’s better for you and your WordPress site to assign too few permissions than too many.

Conclusion

The WordPress user system is the way to deal with power over your WordPress site. When you assign every user to their fitting role with specifically limited capabilities, you have full control and a sense of security that nothing can go wrong content-wise.

Initially, the whole WordPress user roles and capabilities system can be a bit hard to understand and seem too complex. However, after you understand the key concept behind the user management system you will definitely become a master of managing websites and decide who gets to do what. The WordPress user management system gives you exceptional flexibility and is just another thing that makes WordPress great.