If you have ever added a team member or a freelance writer to your WordPress site and just clicked "Administrator" because it seemed easiest - you are not alone. It is one of the most common WordPress mistakes, and it creates a genuine security risk. Understanding WordPress user roles takes about ten minutes and can save you a significant headache later.
The Five Default WordPress Roles
WordPress ships with five built-in roles. Each one is essentially a permission set that controls what a user can see and do inside your dashboard.
Administrator The most powerful role. Administrators can do everything: install and delete plugins and themes, create and delete other users, modify site settings, and access all content. On a standard single-site install, only the site owner should have this role. Every extra Administrator account is a potential attack vector.
Editor Editors can publish, edit, and delete any post or page - including content written by other users. They can also manage categories and moderate comments, but they cannot touch plugins, themes, or settings. This is the right role for a managing editor or a trusted senior content person.
Author Authors can write, edit, publish, and delete their own posts. They cannot touch other users' content and have no access to site settings. This is the appropriate role for a regular contributor who publishes independently.
Contributor Contributors can write and edit their own posts but cannot publish them. Their content sits in "Pending Review" until an Editor or Administrator approves and publishes it. This is ideal for guest writers or new team members whose work needs oversight before it goes live.
Subscriber Subscribers can only log in and manage their own profile. They cannot create or edit any content. This role is used for membership sites or communities where registered users get access to certain content.
Why Least Privilege Matters
The security principle of "least privilege" means giving users only the access they actually need to do their job - nothing more. This limits the damage that can occur if an account is compromised or if a user makes a mistake.
A freelance writer with an Administrator account who clicks a phishing link can hand an attacker full control of your site. The same writer with an Author account? The attacker gets access to write blog posts, which is still bad, but it is nowhere near as catastrophic.
Ask yourself before assigning any role: what does this person actually need to do? Then give them the lowest role that covers those tasks.
Assigning Roles When Adding Users
To add a new user, go to Users > Add New in your WordPress dashboard. You will see a Role dropdown where you can select one of the five default roles. When adding team members:
- Developers working on themes or plugins need temporary Administrator access - remove it when the project is done.
- Content managers who approve and publish others' work get Editor.
- Writers publishing their own content get Author.
- New or external contributors get Contributor until you have established trust.
To change an existing user's role, go to Users > All Users, click on the user, and update the Role field.
Extending Roles with Plugins
WordPress's built-in roles cover most use cases, but if you need finer control - for example, an Editor who can also manage plugins but cannot delete users - the User Role Editor plugin lets you customize individual capabilities for any role. You can duplicate existing roles, create entirely new ones, and assign capabilities with checkboxes.
This is particularly useful for agencies managing client sites, or for businesses where different departments have overlapping but distinct needs.
A Quick Summary
| Role | Publish Own Posts | Publish Others | Manage Plugins | Manage Users |
|---|---|---|---|---|
| Subscriber | No | No | No | No |
| Contributor | No | No | No | No |
| Author | Yes | No | No | No |
| Editor | Yes | Yes | No | No |
| Administrator | Yes | Yes | Yes | Yes |
The five minutes it takes to assign roles correctly is one of the simplest and most effective things you can do to protect your WordPress site. Start with the assumption that everyone gets the lowest role that works, and only escalate when there is a clear reason to.
