If you have a website where lots of people need to have access, so they can contribute, make edits and so on, then you can’t escape the need to give each one of them their own role. By “role” we’re not talking about what they do as such, we’re talking about the kinds of permissions that they have. WordPress features 5 pre-defined roles, which at least gives you some templates that mean you don’t have to start from scratch. Hopefully one of them will roughly correspond to the level of permissions that you want your users to have, so they’ll only be able to make the kinds of changes that you have in mind and won’t be allowed to change things that are best left to you.
The omnipotent administrator has the run of the site, with the ability to change anything and everything. If you own the site, then you’re given this role as standard. Administrators can delete plugins and install new ones, change themes, and wield the knife with any and all posts and pages.
They can upload new images, video, and so on, add and remove users, alter names and passwords. They can also remove other administrators.
So, it should be obvious that such a powerful role should not just be handed to anyone. Only people you trust absolutely should be given administrator access.
The editor has total control of content, including posts, pages, media, and comments. The Editor label means that this person can add, edit, publish, and delete their own posts along with other people’s. They can also do the same for comments and images.
So, the editor can do most of what the admin can do, but they can’t fiddle with site settings, plugins, themes and users. For security reasons it’s considered good practice to set your new users as editors, even if you’re the only person publishing any content.
Usually, hackers as well as site visitors can see a username under each and every post on your site. They can then use that knowledge to try what’s called a brute force attack to get access to the site. Clearly, if they gain unauthorized access as an editor then they won’t be able to do anything more than superficial damage, changing and removing content, but not changing settings
The next step down the ladder is the author role. Authors can write, delete, edit, and publish their own posts only. They have no control over other people’s material. They can’t create new categories or tags, but they can assign existing ones. They can also add media files.
They don’t have permission to moderate comments and can’t change settings, plugins, themes, or user profiles, apart from their own.
Contributors can add posts and edit them, but they can’t publish or delete them. Equally, they aren’t allowed to create new categories and tags and they don’t get to upload media files. This can be pretty annoying if you use certain contributors on a regular basis, as you’re reliant on editors or authors to add their work to the site on their behalf.
They can assign existing categories and tags to their posts, and while they can look at comments, they don’t get to moderate them.
Contributors aren’t allowed to manage the settings page, so they can’t change, upload, edit, activate or deactivate themes and plugins.
This is the role that each user gets by default if site registrations are enabled. It sits on the bottom rung of the permissions ladder. It only lets users access their own user profile, read content and post comments.
Subscribers can’t create posts, look at comments, manage other users or change any settings.
Special WordPress User Role – Super Admin
This is an additional role unique to site owners on the WordPress Multisite Network. The Super Admin role is like an admin role in all respects, with the addition of the ability to add and remove sites on the network.
You can help your site’s security a lot by getting to grips with the various permissions associated with these default user roles. It helps you to keep your users organized and your sites safe. If you need extra control or want to define your own user roles with bespoke permissions that fit the requirements of your website better, you might want to try the Capability Manager Enhanced plugin. It lets you handle your current WordPress roles, edit all role permissions, add new roles, and more besides.