WordPress is shipped with different WordPress users roles and capabilities and in a multi user WordPress blog or website it is important to only give the required permissions, or capabilities to users by assigning them to the correct WordPress user roles, as opposed to assigning everyone to the WordPress administrator role.
Single WordPress Administrator Account
A secure WordPress installation should only have one WordPress administrator account, all other users should be assigned to other WordPress user roles. The WordPress administrator account is only to be used for WordPress maintenance and installation changes, such as WordPress and plugin upgrades, installations of themes and plugins, modifications of theme files etc. The WordPress administrator account should never be used to generate blog posts, WordPress pages and any other type of content.
Assigning WordPress User Roles to New WordPress Users
When you create a new WordPress user you have to assign the user to a WordPress role. There are five built-in WordPress roles to choose from; Administrator, Editor, Author, Contributor and Subscriber. These built-in WordPress user roles allow the WordPress owner to control what users can and cannot do within the WorPress blog or website. In this WordPress security tutorial we will explain what rights each built-in WordPress role has.
Built-in WordPress User Roles
WordPress Administrator Role
In a normal single website WordPress installation the users with Administrator role have access to do anything possible on a WordPress blog or website. The WordPress administrator role user capabilities / rights are summarized below:
- Install and uninstall, activate and deactivate, edit and update WordPress plugins.
- Create new content, read, modify and delete existing content such as WordPress pages and blog posts created by any other user. This also includes private and password protected content.
- Create new users, modify and delete existing users.
- Install, activate and de-activate WordPress themes.
- Modify WordPress themes files.
- Create new, modify or delete existing Categories.
- Create new, modify or delete existing WordPress menus.
- Upload files to WordPress
- Moderate comments
WordPress Editor Role
Like in a typical publishing company, users in the WordPress editor role have access to all the content and can modify it, but do not have any rights related to the configuration, setup, functionality and looks of the WordPress blog or website. A summarized list of the WordPress editor privileges follows:
- Moderate comments
- Create new content such as blog posts and WordPress pages
- Read, modify and delete existing content such as WordPress pages and blog posts created by any other user. This also includes private and password protected content.
WordPress Author Role
Users with WordPress author roles only have access to their own blog posts. They can publish their own blog posts, modify existing own blog posts and modify their own user profile.
WordPress Contributor Role
Like the WordPress author role, users with contributor role can also write their own blog posts, but unlike authors, WordPress contributors cannot publish their own blog posts. Blog posts written by WordPress contributors need to be approved and published by a WordPress editor or administrator.
WordPress Subscriber Role
When a user registers to a WordPress blog or website, by default he or she is assigned the subscriber role. Users with such roles can only read content and do not have access to modify any type of content on a WordPress blog or website apart from their own profile information.
Use WordPress User Roles for a Secure WordPress Installation
Now that you have a good overview of the capabilities users in each WordPress role will have, it is time to tighten up the security of your WordPress and assign users to their appropriate role. You cannot afford to have users who might have weak passwords or infected computers to have administrator access on your WordPress.
WP White Security.com Security Tip: When working with third party contractors, such as theme designers or plugin developers, do not disclose your WordPress administrator password to them. Instead create a new administrator account for them. Once they are ready, delete the account they were using and reset the password of your WordPress administrator account.