What are user roles?
User roles are a security-related feature that groups users together. Rights and capabilities are assigned to the user roles, which are subsequently inherited by the users grouped under that role. The inheritance, in turn, allows users the ability to carry out tasks.
User roles are used by various systems, including Operating Systems such as Windows and Linux (called User Groups), and WordPress.
Why are user roles important on a WordPress website?
User roles make it easy to assign capabilities to a large number of users. Instead of assigning capabilities to each user individually, you assign them once to the role and then subscribe the user to the role. The user will then automatically inherit rights assigned to the role.
Another important aspect of user roles is that they allow you to restrict user access and functionality to specific user. For example someone who only writes and publishes articles, should not also have access to activate and deactivate plugins. User roles allow you to do exactly this.
How user roles work on WordPress
WordPress comes with six roles that are pre-defined and available straight out of the box. You can also create your own user roles. Themes and plugins may also include their own sets of user roles, designed to enable users to carry out specific tasks. WordPress multisite installations also have an additional user role that is not available on single-site installations, namely the Super Admin role.
Understanding how WordPress user roles work is important to improve the security and management of users and the website itself.
Super Admin
The Super Admin role is only available in Multisite installation and allows users subscribed to this role to manage various multisite settings, include site and network settings.
Administrator
The Administrator role gives users the ability to access all of the administrative features on any single site, and in most cases is the highest-order user role available. This user account that installs WordPress automatically falls within this role.
Editor
The Editor role allows users to manage and publish posts, including posts written by other users.
Author
The Author role allows users to manage and publish their own posts only, and cannot manage or publish posts of other users.
Contributor
The Contributor role allows users to write and manage posts they write but do not have the ability to publish posts. The posts need to be published by an editor.
Subscriber
The Subscriber role allows users to manage their profiles.
It’s important to note that while roles have decreasing responsibilities, there is no implicit hierarchy, even if this is implied.
Custom roles
Custom roles can also be added and removed using two WordPress functions called add_role and remove_role respectively. Custom roles plugins can help you create custom roles easily without any development experience.
How to manage user roles on a WordPress website
User roles are a very important part of the security of your WordPress website. Mismanaging user roles can expose your website to unnecessary security risks, or can lead to exposure of sensitive data.
Always ensure that you follow the principle of least privilege when assigning privileges to new users. As a security best practise, users should have the least possible rights for them to be able to complete the job, nothing more.