WordPress Roles Explained
WordPress comes with a number of inbuilt user roles to control what registered users can do when they login to your blog. I want to explain the various roles available and what capabilities each type of user will have.
There’s Just Me, Why Do I Need Roles?
If you are a lone blogger who does all the writing and administration themself then you only need two types of user; readers who do not login and therefore don’t need a role and an administrator. This post is probably not for you, but if this is your scenario, there are a couple of things I recommend:
- Disabled new user registration to keep your blog watertight, this can be done from the WordPress dashboard -> settings -> general and uncheck anyone can register
- Change the default displayed name of the admin account from admin to your own name. This is done from dashboard-> users ->edit the admin account -> complete first name and last name, then from “Display name publicly as” set your full name. This just makes the blog more personal instead of a sterile person called admin writing all of the posts.
I Want a Publishing Empire Tell me About Roles.
When you create additional user accounts on your blog, you can then assign a user to a role, there are five roles subscriber, contributor, editor and administrator. Each has an increasing level of permission to perform actions (know as capabilities) on your site.
This post will take you through each role and it’s capabilities. I will start with the least privileged and build up a profile of the additional things each level can achieve.
Feel free to read the whole posts, but I’ve created a video tutorial to show you users and roles in depth.
How Are Roles Assigned
By default all new users created on your blog will be subscribers, an administrator level user then need to edit the user and assign it a new role. This is done from the dashboard -> users -> authors and users -> edit the required user -> from the role drop down, set the user level.
Subscribers have the ability to read your blog posts. This is the same level as unregistered readers and visitors to your blog so why do you need a role for this? The answer is you may not need this level, but some blogs have featured available only to logged in and registers users. Some of those may be:
- To leave comments, this is a spam control procedure
- To see certain posts
- For a private blog where only registered users are granted access, and creation of the users is left up to the administrator
There are various plugins which require a subscriber role so out of the box the subscriber role may not seem necessary, but each installation is individual.
Moving up the scale contributors are at a level where they can create content on your blog.
The contributor can read posts, create and edit posts from the dashboard. They can also delete their own posts which have not been published.
The point to note about contributors is that they can create draft posts but cannot publish them. A more trusted user level is required to edit and make the post publicly available.
An author is a more trusted level of contributor, they have all of the permissions of a contributor, but they can also publish their own posts, delete their own published posts and also upload files to add to posts e.g. images to include in posts or videos to play within a post.
Authors only have control over their own content, other authors and contributors posts can be read but not edited or amended.
When we reach an editor level we move into site wide permission territory. As the name suggests editors have control over other users content to publish delete and create new posts, but an editor can also created amend and delete pages, have access to, and control over posts marked as private. Check out the visibility of a post it can be public, password protected or private, only editors and above can see private posts and pages.
Editors can create categories, and blog roll link entries, moderate comments and even create and amend new users.
Editors are trusted members of your organisation, they can affect your blog at a fundamental level. What they cannot do is change the look and feel of the site, for that we need an ….
The admin level user is the super user for the site, along with all of the other capabilities discussed above, they can change the theme, upload and install plugins edit users and modify the look and feel of the dashboard.
Control of who is an administrator of your site is crucial for a secure site, harden the password and consider changing the login ID to something other than admin.
A last Word on Roles and Capabilities
If you have multiple people contributing to your site, make use of roles, assign them the minimum permission required to get their job done, you may have scrupulous procedures to safeguard your passwords, but do your contributors? You may trust them but making them an admin level users when all they need to do is upload their post for editing is just creating a security loophole on your site.
Image by maikelnai