Learning how to manage user roles and permissions in WordPress is one of the most important skills for any site owner who collaborates with a team, accepts contributors, or runs a membership site. WordPress ships with a flexible built-in role system that gives you granular control over what every registered user can see and do on your site. This guide walks you through everything from the default roles to advanced customisation with code and plugins.
Understanding the Default WordPress User Roles
Before you can manage roles effectively, you need to understand what WordPress provides out of the box. There are five core roles, each with a progressively larger set of capabilities.
Administrator
The Administrator role has unrestricted access to every feature in the WordPress dashboard. Administrators can install plugins and themes, create or delete any user, and modify site settings. On a Multisite network, a separate Super Admin role sits above regular administrators and controls network-wide settings.
Editor
Editors can publish, edit, and delete posts and pages written by any user on the site. They manage categories, tags, comments, and can upload media. They cannot, however, install plugins or change site settings, making this role ideal for managing editorial teams.
Author
Authors can write, edit, publish, and delete their own posts only. They can also upload files. They have no access to other users' content or to site configuration options.
Contributor
Contributors can write and edit their own posts but cannot publish them. Every post they submit must be reviewed and published by an Editor or Administrator. This role works well for guest writers or new team members you do not yet fully trust.
Subscriber
Subscribers can only log in, read content, and manage their own profile. This is the default role assigned to new registrants on membership or community sites where public registration is enabled.
How to Add, Edit, and Remove Users in WordPress
Managing user roles starts with knowing how to add and update user accounts through the WordPress admin panel.
Adding a New User
- Log in to your WordPress dashboard and navigate to Users > Add New.
- Fill in the required fields: username, email address, and a secure password.
- In the Role dropdown, select the appropriate role for this user (e.g., Editor, Author, Contributor).
- Check Send the new user an email about their account if you want WordPress to notify them automatically.
- Click Add New User to save.
Changing an Existing User's Role
- Go to Users > All Users in your dashboard.
- Hover over the username you want to edit and click Edit.
- Scroll down to the Role dropdown and select the new role.
- Click Update User to save the change.
Bulk-Changing Roles
- Go to Users > All Users.
- Select the checkboxes next to the users you want to update.
- Open the Change role to… dropdown above the list.
- Select the target role and click Change.
Deleting a User
- Go to Users > All Users.
- Hover over the user and click Delete.
- WordPress will ask what to do with content owned by that user. Choose to Delete all content or Attribute all content to another user.
- Click Confirm Deletion.
Customising Roles and Capabilities with Code
The default roles cover most use cases, but complex sites often need custom capabilities. WordPress exposes the add_role(), remove_role(), get_role(), add_cap(), and remove_cap() functions for this purpose.
Creating a Custom Role with PHP
Add the following snippet to your theme's functions.php file or, better yet, to a site-specific plugin so the role persists after theme changes. The snippet below creates a Content Manager role that can edit and publish posts but cannot manage plugins or themes.
/**
* Register a custom Content Manager role.
* Run once on theme/plugin activation.
*/
function wpai_register_content_manager_role() {
add_role(
'content_manager',
__( 'Content Manager', 'textdomain' ),
array(
'read' => true,
'edit_posts' => true,
'edit_others_posts' => true,
'edit_published_posts' => true,
'publish_posts' => true,
'delete_posts' => false,
'delete_others_posts' => false,
'manage_categories' => true,
'upload_files' => true,
)
);
}
add_action( 'init', 'wpai_register_content_manager_role' );Important: WordPress stores roles in the database. If you add a role inside a plain init hook it will run on every page load. Wrap it in an activation hook or use a conditional check such as if ( ! get_role( 'content_manager' ) ) to prevent redundant database writes.
Adding or Removing Capabilities from an Existing Role
You can grant or revoke individual capabilities on any built-in or custom role:
// Grant the Editor role the ability to manage options (use cautiously).
$editor = get_role( 'editor' );
if ( $editor ) {
$editor->add_cap( 'manage_options' );
}
// Remove the capability again if no longer needed.
$editor->remove_cap( 'manage_options' );Managing Roles via WP-CLI
WP-CLI is the fastest way to manage roles on staging or production servers without touching the database directly.
# List all registered roles
wp role list
# Add a capability to the author role
wp cap add author edit_others_posts
# Remove a capability from the author role
wp cap remove author edit_others_posts
# Create a brand-new role
wp role create moderator Moderator
# Delete a custom role
wp role delete moderatorUsing Plugins to Manage Roles and Permissions
Not every site owner is comfortable writing PHP. Several well-maintained plugins provide a graphical interface for role management.
User Role Editor
User Role Editor (by Vladimir Garagulya) is the most widely used free option. It lets you add, remove, and clone roles from a single screen, and toggle individual capabilities using checkboxes. To use it:
- Go to Plugins > Add New and search for User Role Editor.
- Install and activate the plugin.
- Navigate to Users > User Role Editor.
- Select a role from the dropdown and check or uncheck capabilities as needed.
- Click Update to save.
Members Plugin
The Members plugin by MemberPress offers a clean visual editor for roles and even supports content restriction by role, which is useful for membership sites. The free version covers most role-management needs, while the Pro version adds integration with WooCommerce and other plugins.
WooCommerce-Specific Roles
If you run a WooCommerce store, note that WooCommerce adds its own roles: Customer and Shop Manager. The Shop Manager role mirrors Administrator capabilities but is intentionally restricted from certain site-wide settings. Manage these roles the same way you would any default WordPress role.
WordPress User Role Security Best Practices
Incorrectly configured roles are a leading cause of WordPress security incidents. Following these best practices significantly reduces your attack surface.
Apply the Principle of Least Privilege
Always assign the lowest role that allows a user to do their job. A blog contributor should never be an Administrator. Regularly audit your user list and downgrade or remove accounts that no longer need elevated access.
Limit the Number of Administrators
Every Administrator account is a potential attack vector. Aim to have only one or two Administrator accounts and protect them with strong, unique passwords and two-factor authentication (2FA). Plugins such as WP 2FA make enforcing 2FA easy across your team.
Disable User Registration if Not Needed
If your site does not require public registration, turn it off. Go to Settings > General and uncheck Anyone can register. Also set the New User Default Role to Subscriber rather than anything more powerful.
Monitor User Activity
Install an activity-log plugin such as WP Activity Log to track login attempts, role changes, and content edits. Logs are invaluable for diagnosing permission problems and detecting suspicious behaviour.
Review Third-Party Plugin Capabilities
Many plugins register custom capabilities (e.g., manage_woocommerce, edit_shop_orders). Check which capabilities each installed plugin adds and ensure they are assigned only to the roles that genuinely need them.
Troubleshooting Common User Role Issues
Even experienced WordPress developers run into role and permission problems. Here are the most common issues and how to fix them.
User Cannot Access a Page They Should
First confirm the user's role is correct under Users > All Users. Then check whether a plugin or theme is restricting access with current_user_can() calls. Use the User Role Editor plugin to verify which capabilities the role actually has in the database, since a bad plugin may have stripped capabilities without warning.
Administrator Cannot See Certain Menu Items
Some security plugins (e.g., Wordfence, iThemes Security) let you hide admin menu items per role. Check those plugins' settings first. Also confirm that no custom code is using remove_menu_page() or remove_submenu_page() conditionally on the current user's role.
Roles Reset After Theme Switch
If you registered a custom role inside your theme's functions.php without a proper activation hook or existence check, switching themes will remove the role. Move role registration to a site-specific plugin (a simple PHP file in wp-content/plugins/) so it is theme-independent.
Wrong Default Role Assigned to New Users
Go to Settings > General and verify the New User Default Role dropdown. If the site uses a plugin that overrides this (common with BuddyPress or membership plugins), check those plugin settings as well.
Frequently Asked Questions
What is the difference between an Editor and an Administrator in WordPress?
An Administrator has full control over the entire WordPress site, including installing plugins, managing themes, and creating or deleting users. An Editor can manage all posts and pages from any author but cannot access site configuration, install plugins, or manage users. Use the Editor role for trusted team members who should handle content but not site infrastructure.
Can I create a custom user role in WordPress without a plugin?
Yes. WordPress provides the add_role() PHP function that lets you define a new role and its capabilities entirely in code — typically in a site-specific plugin or via WP-CLI. However, a plugin like User Role Editor is faster and safer for non-developers because it provides a visual interface and prevents accidental capability misconfiguration.
How do I stop subscribers from accessing the WordPress dashboard?
Add the following snippet to a site-specific plugin or functions.php: use the admin_init hook to check if the current user only has the Subscriber role and, if so, redirect them to the front end with wp_redirect( home_url() ). Alternatively, install a plugin like Remove Dashboard Access which handles this with a settings toggle and no coding required.
Are WordPress user roles stored in the database?
Yes. WordPress stores role definitions in the wp_options table under the key wp_user_roles (the prefix may differ). Individual user role assignments are stored as user meta in the wp_usermeta table under the key wp_capabilities. This is why changes made with add_role() or capability functions persist across requests — and why you should only register a role once, not on every page load.
Managing WordPress user roles and permissions does not have to be complicated, but it does require attention to detail to keep your site secure and your team productive. Whether you use the built-in role system, a dedicated plugin, or custom PHP code, the principles of least privilege and regular auditing will serve you well. If you would prefer a faster, hands-off approach, WP AI Agent is an AI-powered chat tool that lets you manage user roles, update permissions, and perform dozens of other WordPress tasks simply by describing what you need in plain language — no dashboard digging or code required.