Capabilities

What are capabilities?

Capabilities are WordPress permissions that effectively permit or deny users the ability to execute specific actions. Capabilities are assigned to roles, with user accounts automatically inheriting the capabilities assigned to the role they belong to. This allows the user to execute certain actions but not others.

Why are capabilities important on a WordPress website?

Every application, including WordPress, needs a system through which access to resources and functions is granted or denied. Capabilities offer a fine degree of control over which actions and functions we give access to any given user.

While this might not make much of a difference on smaller WordPress websites with a single user, its benefits become more apparent as the website grows, and with it the number of users that need access to WordPress. In such cases, leveraging the flexibility and power of WordPress roles can increase security and administrative efficiency.

How capabilities work

WordPress capabilities are assigned to roles. In turn, users are assigned to a role. Assigned capabilities give users who are members of the role the right to execute the action prescribed by the capability.

As an example, the delete_pages capability is assigned to the Editor role. We can then assign the Editor role to anyone who will carry out editorial work on our WordPress website. Let’s call him Fred. Since the delete_pages capability is assigned to the Editor role, of which Fred is a member, Fred can delete pages.

WordPress includes a number of capabilities that allow administrators to fine-tune the control they want to assign to roles. Plugins may also include their own sets of capabilities, allowing administrators to assign different capabilities to different roles – and by extension users.

The list of capabilities sees entries added and removed as new features are introduced and old ones retired. For the latest list, refer to the official WordPress roles and capabilities list.

How to manage capabilities on WordPress website

The best way to manage capabilities is through the principle of least privilege. This means that any given user should only be given access to the capabilities they need to perform their job. In some cases, this might require the creation of custom WordPress user roles to ensure you can assign just the capabilities the user needs.

Custom roles and capability assignments can be done through a third-party plugin such as User Role Editor. While this might not be necessary for a small team, bigger teams who might have more dedicated roles might find this finer degree of control especially useful.

It is equally important to ensure that access control mechanisms are in place to avoid any unauthorized access to roles and capabilities. One way to do this is through two-factor authentication on WordPress with the WP 2FA plugin. Two-factor authentication can stop over 99% of account-based attacks.

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon
Uploading WP 2FA as a zip file in WordPress
WP 2FA in the WordPress plugin repository
Close

Installing WP 2FA Free

Congratulations on taking the first step towards enhancing your WordPress site's security with WP 2FA Free! You're now on your way to protecting your valuable data and ensuring peace of mind. No coding or technical knowledge is required.

 

Below are two ways to install WP 2FA on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for WP 2FA.

Download the WP 2FA plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading CAPTCHA 4WP as a zip file in WordPress
CAPTCHA 4WP in the WordPress plugin repository
Close

Installing CAPTCHA 4WP Free

Well done you. You're one step closer to safeguarding your WordPress website from spam and automated attacks with CAPTCHA 4WP. You'll be able to effortlessly integrate CAPTCHA into your forms and enjoy a website with enhanced security.

 

Below are two ways to install CAPTCHA 4WP on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for CAPTCHA 4WP.

Download the CAPTCHA 4WP plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading WP Activity Log as a zip file in WordPress
WP Activity Log in the WordPress plugin repository
Close

Installing WP Activity Log Free on your website

You deserve a pat on the back for choosing to record user actions and changes on your website. That is the first step towards better user accountability, easier troubleshooting of website security, and many other benefits of issues.

 

Below are the two ways to install WP Activity Log on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for WP Activity Log.

Download the WP Activity Log plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading Melapress Login Security as a zip file in WordPress
Melapress Login Security in the WordPress plugin repository
Close

Installing Melapress Login Security Free

Congratulations on taking control of your WordPress website's security by implementing robust login and password policies with Melapress Login Security. You can change your login page URL, limit failed login attempts, and reset passwords.

 

Below are two ways to install Melapress Login Security on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for Melapress Login Security.

Download the Melapress Login Security plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2