How to use WordPress user roles for improved WordPress security

As a content management system, WordPress has a set user roles. In essence, these WordPress user roles define the capabilities (permissions to carry out specific website tasks) of each individual user on your website.

As your site grows, it’s essential to understand those roles and capabilities to ensure the continued security of your website. Since assigning wrong user roles could lead to disastrous consequences.

In this article, we’ll outline what user roles are (including custom roles), so you’ll know how to assign them correctly. We’ll also cover how to use WordPress plugins to manage and monitor the activity of your WordPress users.

The basics of WordPress user roles

The type of access you have to a WordPress site is determined by what role you have and therefore, the capabilities you’re given.

• A ‘role’ is a group / pre-defined list of capabilities. As a user you are then assigned a role, which determines what capabilities you have.
• ‘Capabilities’ are essentially what that user role can do (publish posts, change settings etc)

For example, an Editor is a user role that has capabilities such as moderating comments, publishing content, and creating new content, to name a few. On a larger news or blog website, it’s normal to have several Editors, each in charge of their respective topic sections.

While some plugins add in customized WordPress user roles (we’ll get on to this shortly), there are six default user roles with every standard WordPress site. They are as follows:

• Super Administrator
• Administrator
• Editor
• Author
• Contributor
• Subscriber

Understanding the WordPress user role capability hierarchy

It’s important to understand that the structure of roles is hierarchical. Each user role has the capabilities of the position(s) beneath it, with the addition of some role-specific capabilities.

For instance, let’s look at the bottom of the user role pyramid, the Subscriber. A Subscriber role has only the ‘read’ capability attached to it (which means they can only read posts on your site).

Let’s progress to the next level of user role, Contributor. This role has the ‘read’ capability but also has the ‘edit_posts’ and ‘delete_posts’ capabilities. This means that they’re able to edit and delete their own posts.

The Author user role has the capabilities of both Subscriber and Contributor with the following assigned additional privileges:

• Delete_publish_posts
• Publish_posts
• Upload_files
• Edit_published_posts

As you can see, the capabilities increase the further up the user role structure you move, with Super Administrator having the highest set of privileges. So let’s look at each role in slightly more detail, in descending order.

WordPress Super Administrator role

WordPress Super Administrator is the highest-level WordPress user role, so therefore, they have all available capabilities. The difference between a Super Administrator and an Administrator is that those capabilities can be transferred across sites within a WordPress multisite network.

For clarity, here’s the difference between different WordPress sites/networks:

WordPress multisite network – a type of WordPress installation that allows you to create and manage a network of multiple websites from a single WordPress dashboard.
A WordPress site on a multisite network (child site) – a WordPress site within your multisite network. This child site shares the plugins and theme of other sites on the network but can have its own child theme.
A standalone WordPress site – a standalone site is your normal WordPress install. It has its own unique set of plugins, settings and themes.

A Super Administrator (only found on multisite networks) can create and manage sub-sites, create and manage network users, install and remove themes and plugins, and enable them right across the network.

For instance, let’s say you operate a network of three ecommerce stores that each focus on a specific consumer segment – men’s, women’s, and children’s clothing. A Super Administrator would be able to make changes that reflect on all three of those sites, such as updating or configuring the WooCommerce plugin.

WordPress Administrator role

Much like Super Administrators, Administrators have all capabilities. However, those permissions are limited to the scope of one website. Those capabilities include, but are not limited to, the following:

• Install and uninstall, activate and deactivate, edit and update any WordPress plugin.
• Create new content, read, modify, and delete existing content. For example, WordPress pages and blog posts created by any other user. This includes unpublished, private, and password-protected materials.
• Create new users, modify and delete existing users.
• Install, activate, and deactivate WordPress themes.
• Modify WordPress themes files.
• Create new, modify, or delete existing Categories.
• Create new, modify, or delete existing WordPress menus.
• Upload files to WordPress.
• Ability to post HTML markup and JavaScript code in pages, posts, and comments (unfiltered HTML).
• Moderate comments.

Remember, these capabilities are the same as the Super Administrator. However, a Super Administrator has these privileges spread across multiple sites within a WordPress network.

WordPress Editor role

The level of the structure at which capabilities become restricted is the Editor user role. The Editor role is focused on content, like in a traditional publication setting. They have no permissions that involve the configuration, setup, functionality, or design of your WordPress website.

Their capabilities include:

• Moderate comments.
• Create new content such as blog posts and WordPress pages.
• Read, modify, and delete existing content such as WordPress pages and blog posts created by any other user. This also includes unpublished, private, and password-protected materials.

WordPress Author role

From Author down, the capabilities of WordPress user roles become much more restricted. An individual designated an Author user role only has access to their blog posts and profile.

So, they can publish their blog posts, modify their own existing blog posts, and modify their user profile.

WordPress Contributor role

Similar to the Author user role, Contributors can write blog posts. However, WordPress contributors cannot publish their own blog posts. All blog posts written by a WordPress Contributor need to be approved and published by either a WordPress Editor or Administrator.

WordPress Subscriber role

This the default role issued to anyone signing up to register for an account on a WordPress website. A Subscriber can only read content and do not have access to modify any type of content on a WordPress site. They can modify only their profile information.

WordPress custom user roles

The WordPress user roles described above are the default ‘out of the box’ roles provided in a standard WordPress site. In some instances, WordPress plugins install their own customized user roles, with specific capabilities attached to perform that role.

For instance, those of you using WooCommerce will notice a Store Manager user role. Likewise, the SEO plugin Yoast introduces SEO Editor and SEO Manager user roles complete with their own distinct WordPress permissions.

Creating custom WordPress user roles may be something of interest to you if the preexisting roles don’t quite fit your desired purposes. For example, you may run a membership site that requires you to give Subscribers many more privileges than mere reading capabilities. If that’s the case, WordPress plugins such as User Role Editor allow you to customize permissions within each role to meet your specific business needs better.

How to use WordPress user roles to improve security

WordPress user roles have a significant part to play in the overall security of your website. The simple act of assigning too many capabilities to the wrong person can have potentially disastrous consequences. With that in mind, you must get your user role assignments right.

Assign the right role to the right person

Just as in any traditional business, you don’t hand out the same rights and responsibilities to your bottom-rung employees or outside contractors as you do the business owner.

For instance, when referring to a WordPress site, web developers need Administrator-level access to make necessary changes to the back-end website functions. However, they should have their own specific user login, of which you can remain in control.

The same is true of Authors and Contributors if you run a blog, or Store and Product Managers if you run an ecommerce store. You need to be in control as the webmaster for several reasons.

For more information on this, our guide on the principle of least privileges is a good place to start.

Sharing credentials is a security threat

Lending your WordPress user information to someone else may seem harmless, but it’s anything but secure. Credentials passed over email can be intercepted, and printed versions can just as quickly become compromised.

A 2019 study uncovered that 74% of data breaches were a result of privileged-access credential abuse. Worse, the same report found that up to 65% are sharing root or privileged access to systems (such as WordPress) at least somewhat often.*

A reason the data breaches are so high is that shared credentials tend to foster weak passwords. While easy-to-remember passwords save time for WordPress site owners, they present a weakness in your site security, leaving it open to brute force and dictionary attacks.

Lastly, if you give many individuals access to one WordPress user role on your site, you’ll be unable to track who has changed what to your website. With several people having access to one username and password, how will you decipher which individual is responsible for the activities carried out under that user role?

Keep logs of users with different roles

For the reasons outlined above, you need to give each contributor to your WordPress site their own login and user role. It’s then a good idea to use a plugin to monitor the activity of each user to track the works undertaken while increasing site security.

With the WP Activity Log plugin, you can keep an activity log of every single change made by your WordPress users. By installing this plugin, you can store and analyze a comprehensive activity log, receiving real-time alerts when a user is undertaking critical site changes. You can also monitor users in real-time to ensure that they are carrying out their tasks as they should.

These features are especially beneficial if you operate large singular websites with several departments (as is frequently the case in e-commerce). Or, you run a multisite network as a Super Administrator. With so many individuals making constant changes, you can use the WP Activity Log plugin to search through activity logs and pinpoint when specific changes were made to a WordPress site (and by whom).

Optimizing user roles in WordPress

WordPress user roles have a vital part to play in the organizational structure of your website. To minimize security issues, each user role and their associated capabilities should be carefully assigned. The more your site grows, the more significant user roles become.

In many cases, the sharing of credentials between individuals should be avoided at all costs. While you may be able to supervise a few users, when there are multiple team members designated to each user role, you need software such as the WP Activity Log plugin to track changes made to your site accurately.

Why not get started with WP Activity Log for your WordPress website today?

Bonus tip

Weak passwords are one of the biggest threats to your WordPress site. With so many users on your website, you need to ensure they are all using strong passwords to protect against hackers.

With the Melapress Login Security, you can ensure everyone who has a login to your website uses a secure password. You can also double-down on your security arrangements by implementing two-factor authentication for your users with the WP 2FA plugin.

* https://www.forbes.com/sites/louiscolumbus/2019/02/26/74-of-data-breaches-start-with-privileged-credential-abuse/#6c25c92b3ce4