Use WordPress User Roles for Improved WordPress Security

Last updated on February 19th, 2020 by Robert Abela. Filed under WordPress Security

WordPress is shipped with different WordPress users roles and capabilities and in a multi user WordPress blog or website it is important to only give the required permissions, or capabilities  to users by assigning them to the correct WordPress user roles, as opposed to assigning everyone to the WordPress administrator role.

Single WordPress Administrator Account

A secure WordPress installation should only have one WordPress administrator account, all other users should be assigned to other WordPress user roles. The WordPress administrator account is only to be used for WordPress maintenance and installation changes, such as WordPress and plugin upgrades, installations of themes and plugins, modifications of theme files etc. The WordPress administrator account should never be used to generate blog posts, WordPress pages and any other type of content.

Assigning WordPress User Roles to New WordPress Users

When you create a new WordPress user you have to assign the user to a WordPress role. There are five built-in WordPress roles to choose from; Administrator, Editor, Author, Contributor and Subscriber. These built-in WordPress user roles allow the WordPress owner to control what users can and cannot do within the WorPress blog or website. In this WordPress security tutorial we will explain what rights each built-in WordPress role has.

Built-in WordPress User Roles

WordPress Administrator Role

In a normal single website WordPress installation the users with Administrator role have access to do anything possible on a WordPress blog or website. The WordPress administrator role user capabilities / rights are summarized below:

  • Install and uninstall, activate and deactivate, edit and update WordPress plugins.
  • Create new content, read, modify and delete existing content such as WordPress pages and blog posts created by any other user. This also includes private and password protected content.
  • Create new users, modify and delete existing users.
  • Install, activate and de-activate WordPress themes.
  • Modify WordPress themes files.
  • Create new, modify or delete existing Categories.
  • Create new, modify or delete existing WordPress menus.
  • Upload files to WordPress
  • Ability to post HTML markup and JavaScript code in pages, posts and comments (unfiltered HTML)
  • Moderate comments

WordPress Editor Role

Like in a typical publishing company, users in the WordPress editor role have access to all the content and can modify it, but do not have any rights related to the configuration, setup, functionality and looks of the WordPress blog or website. A summarized list of the WordPress editor privileges follows:

  • Moderate comments
  • Create new content such as blog posts and WordPress pages
  • Read, modify and delete existing content such as WordPress pages and blog posts created by any other user. This also includes private and password protected content.

WordPress Author Role

Users with WordPress author roles only have access to their own blog posts. They can publish their own blog posts, modify existing own blog posts and modify their own user profile.

WordPress Contributor Role

Like the WordPress author role, users with contributor role can also write their own blog posts, but unlike authors, WordPress contributors cannot publish their own blog posts. Blog posts written by WordPress contributors need to be approved and published by a WordPress editor or administrator.

WordPress Subscriber Role

When a user registers to a WordPress blog or website, by default he or she is assigned the subscriber role. Users with such roles can only read content and do not have access to modify any type of content on a WordPress blog or website apart from their own profile information.

Use WordPress User Roles for a Secure WordPress Installation

Now that you have a good overview of the capabilities users in each WordPress role will have, it is time to tighten up the security of your WordPress and assign users to their appropriate role. You cannot afford to have users who might have weak passwords or infected computers to have administrator access on your WordPress.

WP White Security Tip: When working with third party contractors, such as theme designers or plugin developers, do not disclose your WordPress administrator password to them. Instead create a new administrator account for them. Once they are ready, delete the account they were using and reset the password of your WordPress administrator account.

WordPress Hosting, Firewall and Backup

This Website is:


Justin 16/04/2017

I’ve found that lost of WordPress sites that have multi-users adding content (posts, pages etc) under the company that they work for all have the same common account (under the company name) so that when published they have the one author e.g. company name. This weakens security. One way round that is to have all users having their own account and use overwrite-author-name ( to keep the author name associated with the posts/content the same.

Robert Abela 17/04/2017

This seems like a neat solution Justin. Thank you for sharing.

Leave a Reply

Your email address will not be published. Required fields are marked *