Access Control

WordPress Roles and Capabilities – Launch the Power of Your Site

Sometimes, you need to give users access to custom information on your WordPress site.  You want different WordPress roles to give different levels of access or information depending on what they users do or need.  You don’t want everyone logging in as administrators. That would be a security nightmare. 

To allow this, WordPress has different roles that you can make to customize access.  Using these WordPress roles, you can give access to some things but not others or you can give each Customer different information just for them.  For example, you could allos accounts where a user accesses different documents.

WordPress Roles Explained

Out of the box, WordPress has six pre-defined WordPress roles.  These roles are

  • Super Admin- You don’t see this role in many sites.  They can manage capabilities for multi-sites, where multiple sites share common functions like themes and plugins.  
  • Administrator –  Administrators are the most common high-level user.  An administrator can do things like add or remove plugins, add other users, edit any content, switch themes, etc.
  • Editor – Editors let you designate a role that can control most content but not do other things like manage plugins and themes.  An Editor can add, remove or delete content, manage other users’ contents and upload files, for example. 
  • Author – Authors can Add, edit and remove their own posts and upload files.  This can be very helpful if you want to let someone else add content to your site without giving them the ability to mess things up.
  • Contributor – Similar to authors, a contributor can manage their own posts. An important difference is that contributors can’t publish the posts or upload files.
  • Subscriber – A subscriber can only manage their own profiles.

Each role is allowed a set of “capabilities” that they can do.  We’ve described some of the general capabilities above and given a more complete table below.  However, through code and plugins, you can changes these capabilities if you need to. For example, you could give a contributor the ability to upload files. 

You can also define your own roles.  For example, let’s say that you have a marketplace site, where you have merchants with their own shops selling products.  You might need a number of roles.  For example, here are some of the roles you might need:

  • Merchant – Someone who runs a shop, can add or remove products, change prices, etc.
  • Shop Administrator – They can add or remove products but not change things about the shop.
  • Sale Clerk – They can manage orders, answer customer questions, ship products.
  • Customer – They can purchase products.
RELATED:   Is My Website Mobile-Friendly - How to Find Out

These are just some ideas, but you get the concept.   Depending on what your site does, you might need any number of roles and capabilities.  Capabilities are WordPress roles permissions.  They tell the system what a user can do with their role.  The table below tells you the WordPress capabilities that it comes with but just like with our merchant example, we might need new ones.

Just like you can define WordPress roles, you can also define WordPress capabilities.  For example, in our merchant example, we might define new WordPress capabilities like “create product”. 

A user can have multiple roles.  For example, a user could be an Author and a Customer.  For the starting WordPress roles, this usually isn’t necessary and just creates unnecessary complexity and confusion.  An Administrator can do everything that an Author can do, for example.

A key security concept is to make sure you don’t give anyone any more permissions than they need to do their job.  So, if you need someone to write and publish articles, but they don’t need to install plug-ins, change themes, etc. then make them an Author.  You want to have a few users as possible with Administrator privileges.

don’t give anyone any more permissions than they need to do their job

Defining WordPress Roles Permissions

To define new WordPress capabilities and roles, you will either need to use code or use a plug-in.  We’ve given some code examples below to give you an idea but if you don’t know how to program in PHP, do not go trying these on your own.  You could break your site or create a big security issue.  Hire a developer or use a plug-in. 

For common examples, there are plug-ins available. Often, these are part of a plug-in that does something else.  WooCommerce will create roles like Customer for you.  Your Learning Management System will create roles like Instructor and Student.

Keys for Security

WordPress Roles Manager

For the main WordPress roles, you can manage them right in the Users section of the Administrator dashboard. From there, you can change a user’s role.  Even with custom roles, once that role is created, you can assign it in the user section. 

There are some general plugins to help you with new roles and capabilities.  For example, many membership plugins like Members – Membership User and Role Editor, will let you define roles.   Then, you can restrict access to various pages for different roles.  For many sites, this is an easy, affordable and manageable way for WordPress Role management and WordPress capability management.

WordPress Roles Definitions

Other plugins like, Roles and Capabilities or User Roles and Capabilities will let you define roles and capabilities. They approach the problem a little bit differently so different plug-ins might work better for what you need. These types of WordPress Roles Editors can be very useful if you have more complex needs but don’t quite need custom code yet.

RELATED:   How to Change WordPress URL for a Page or Post

If you can, for WordPress Roles Management, having a plugin that is a WordPress Roles Manager or WordPress Roles Editor can be a great option.  It’s affordable (both of these plugins have free options and there are others) and you can manage WordPress roles and capabilities without needing a developer.  A WordPress Roles Plugin is a great option when it can or does meet your needs.

Sometimes, though, you have a more complex need and a WordPress Roles Plugin isn’t going to cut it.  Then you’ll need custom development.  If you aren’t a PHP developer, then you will need some help.  This isn’t the sort of situation to be learning to code because you can create security risks.  Hire a developer.

WordPress Roles and Capability Management

WordPress Roles combined with WordPress Capabilities are a great way to add functionality to your site.  You can let certain users do things while prohibiting other users from doing them.  The ability to add roles and capabilities makes the possibilities almost endless. 

When you can, we recommend using a WordPress Roles Plugin for managing WordPress roles and capability.  It’s cheaper and easier to maintain.  Sometimes, that won’t cut it, though. That’s when you may need someone to develop a solution for you.

Summary of WordPress Roles and Capabilities

Here is a summary of what different capabilities the default WordPress roles have. This will give you an idea of what your options are for user roles (without defining new ones.) It’s a really long table, so it’s in an accordion, just press the plus (+) sign next to the WordPress Roles Table.

WordPress Roles Table

CapabilitySuper
Admin
Admin*EditorAuthorContribSubscrib.
create_sitesYes
delete_sitesYes
manage_networkYes
manage_sitesYes
manage_network_usersYes
manage_network_pluginsYes
manage_network_themesYes
manage_network_optionsYes
upload_pluginsYes
upload_themesYes
upgrade_networkYes
setup_networkYes
activate_pluginsYes*Yes*
create_usersYes*Yes*
delete_pluginsYes*Yes*
delete_themesYes*Yes*
delete_usersYes*Yes*
edit_filesYes*Yes*
edit_pluginsYes*Yes*
edit_theme_optionsYes*Yes*
edit_themesYes*Yes*
edit_usersYes*Yes*
exportYes*Yes*
importYes*Yes*
install_pluginsYes*Yes*
install_themesYes*Yes*
list_usersYes*Yes*
manage_optionsYes*Yes*
promote_usersYes*Yes*
remove_usersYes*Yes*
switch_themesYes*Yes*
update_coreYes*Yes*
update_pluginsYes*Yes*
update_themesYes*Yes*
edit_dashboardYes*Yes*
customizeYes*Yes*
delete_siteYes*Yes*
moderate_commentsYesYesYes
manage_categoriesYesYesYes
manage_linksYesYesYes
edit_others_postsYesYesYes
edit_pagesYesYesYes
edit_others_pagesYesYesYes
edit_published_pagesYesYesYes
publish_pagesYesYesYes
delete_pagesYesYesYes
delete_others_pagesYesYesYes
delete_published_pagesYesYesYes
delete_others_postsYesYesYes
delete_private_postsYesYesYes
edit_private_postsYesYesYes
read_private_postsYesYesYes
delete_private_pagesYesYesYes
edit_private_pagesYesYesYes
read_private_pagesYesYesYes
unfiltered_htmlYesYesYesYes
edit_published_postsYesYesYesYes
upload_filesYesYesYesYes
publish_postsYesYesYesYes
delete_published_postsYesYesYesYes
edit_postsYesYesYesYesYes
delete_postsYesYesYesYesYes
readYesYesYesYesYesYes

* – Super Administrators can control these functions on all sites on a multi-site installation. Administrators can do it on one.

RELATED:   How Much Does WordPress Cost

Code Examples to Manage WordPress Roles

This is a quick overview of some of the programming functions available to manage the WordPress roles.  Make sure you consult the WordPress documentation on these functions

Adding a WordPress Role

add_role(string $role, string $display_name, bool[] $capabilities)

This function adds a role and its capabilities.  An important note is that if the role already exists, this function doesn’t do anything, even if the capabilities are different so be careful.  The display name is what users will see, whereas the role name is the name the system will use.

Removing a WordPress Role

remove_role(string $role)

This function removes the role from the system.  It’s pretty straightforward.

Managing WordPress Roles Effectively

There are a few easy concepts to keep in mind when managing WordPress user roles.  These are mostly for security reasons. They also make managing your site easier.

Give Minimal Access to Every WordPress User – Only Give Them What They Need

When you add a user to your site, make sure that you only give them the highest WordPress role that they need. It can be tempting to give everyone administrator privileges to make your life easier.  The problem is that more administrator accounts means more opportunities to get hacked. 

Keep Down Your Number of Administrator and Editor Accounts

The administrator and editor accounts are your most powerful. They can do the most on your site and therefore can do the most damage. Don’t give out more of these accounts than you need to.  Then, back to our point above. If someone can do what you need with an Editor account, don’t give them an Administrator account.  Don’t give someone Editor privileges if they can get by with Author privileges, and so on.

Code Examples to Manage WordPress Capabilities

Just like with the roles, there are functions to manage WordPress capabilities. 

Adding a Capability for a Role

add_cap(string $capability, bool active)

First, you need to get_role(string $role) and then you can add_cap as a function to that role.  If you want the role to have the ability then add a true, for example:

<!-- wp:paragraph -->
<p>$role=get_role('my_role');</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>$role-&gt;add_cap('order_pizza',true);</p>
<!-- /wp:paragraph -->

Now someone who is part of my_role can order pizza.

Removing a Capability for a Role

This is very similar to add_role except…well, it removes it, so if we had too much pizza, now we could do

$role->remove_cap('order_pizza');

Code Examples to Use WordPress Capabilites

Once you’ve create WordPress roles and its Capabilities, it doesn’t help much unless you can check those capabilities.  You do this in a function by checking if the WordPress user can do that capability.  There are two functions to do this:

<!-- wp:paragraph -->
<p>user_can($user,$capability) lets you check any user.&nbsp; Most of the time, we will be checking the current user, so we can simplify it with</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>current_user_can($capability)&nbsp;</p>
<!-- /wp:paragraph -->

So, for example, if you want to only show pizza options if a user can order pizza you would do something like this:

<!-- wp:paragraph -->
<p>if(current_user_can('order_pizza')){</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>display_pizza_options();</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>}</p>
<!-- /wp:paragraph -->

Good luck managing your WordPress roles and all your users!  Having this capability will let you add tremendous opportunities to your WordPress website.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top
Share via
Copy link