WordPress uses a role-based permission system to control what users can see and change. Understanding how this system works helps you collaborate safely without exposing your site to unnecessary risk.
Before You Start
- You should have administrator access to view user roles.
- No user changes are required for this tutorial.
- This guide focuses on access control, not team management strategy.
What WordPress Roles Do
Each WordPress user is assigned a role. The role determines what actions the user can perform in the admin area.
Roles are cumulative, meaning higher roles include all permissions of lower roles.
Default WordPress Roles Explained
Administrator
Administrators have full control over the site.
- Manage settings
- Install and remove plugins and themes
- Manage users
This role should be assigned sparingly.
Editor
Editors can manage content created by all users.
- Create, edit, publish, and delete posts and pages
- Manage categories and tags
Editors cannot change site-wide configuration.
Author
Authors manage their own content only.
- Create and publish their own posts
- Edit or delete their own content
Contributor
Contributors can write content but cannot publish it.
- Create drafts
- Submit content for review
Subscriber
Subscribers have minimal access.
- Manage their own profile
- View restricted content if applicable
Why Fewer Permissions Are Safer
Granting more permissions than necessary increases the chance of:
- Accidental setting changes
- Plugin or theme modifications
- Security exposure
Most site tasks do not require administrator access.
Adding and Editing Users
Users can be added from the Users section of the admin menu.
When creating or editing a user:
- Choose the lowest role that fits the task
- Review role assignments periodically
- Remove users who no longer need access
Access creep over time is common and often unnoticed.
User Profiles vs Site Settings
Each user has a personal profile that controls:
- Display name
- Email address
- Password
Profile changes affect only the individual user, not the site configuration.
Verify Your Understanding
- You understand what each default role allows.
- You know why administrator access should be limited.
- You recognize the difference between user profiles and site settings.
Common Issues
- Assigning administrator roles unnecessarily: Increases risk.
- Never reviewing user access: Leaves unused accounts active.
- Confusing roles with trust: Roles control capability, not intent.
Related Tutorials / Next Steps
- Common Admin Mistakes
- WordPress Security Fundamentals
Clear role management protects both the site and the people working on it. Good access control is a stability practice, not a restriction.