WordPress user roles control what each user on your site is allowed to do. There are six default roles, Subscriber, Contributor, Author, Editor, Administrator, and Super Admin (Multisite only), each with a different set of permissions. Picking the right role for each person keeps your site safe and your workflow tidy.
Below I’ll walk through exactly what each role can and can’t do, how to decide which role to assign, a few WooCommerce-specific roles most guides skip, and how to create your own custom roles if the defaults don’t fit.
The 6 default WordPress user roles
Roles in WordPress are hierarchical. Each one up the chain inherits the capabilities of the role below it, plus a few more. Here’s what each default role can do, in plain English.
Subscriber
Can: Read the site, manage their own profile, leave comments if registration is tied to commenting.
Can’t: Write or edit posts, upload media, change any site settings.
Use it for: Membership sites, gated content, newsletter signups, anywhere a logged-in identity matters but the person shouldn’t touch content. Most blogs never use this role.
Contributor
Can: Write and edit their own posts, submit them for review.
Can’t: Publish their own posts, upload media (yes, really), edit anyone else’s posts.
Use it for: Guest writers or new staff you want to vet before anything goes live. An Editor or Admin reviews and hits publish.
Heads up: The no-media-upload rule catches people off guard. If your contributors need to add images to drafts, install a small plugin like Allow Contributors to Upload Files, or promote them to Author.
Can: Write, edit, publish, and delete their own posts. Upload media.
Can’t: Touch other users’ posts, create or edit pages, moderate comments on posts they didn’t write, access plugins, themes, or settings.
Use it for: Regular contributors you trust to publish on their own. This is the sweet spot for most multi-author blogs.
Editor
Can: Publish, edit, and delete any post or page, by any author. Manage categories and tags. Moderate comments. Upload media.
Can’t: Install or activate plugins, change themes, edit users, touch site settings.
Use it for: Your managing editor or content lead. They run the editorial calendar without being able to break the site. This is the highest role most content people ever need.
Administrator
Can: Everything on a single site. Install plugins and themes, add and remove users, change any setting, edit theme files, run core updates.
Can’t: Manage a Multisite network (that’s Super Admin territory).
Use it for: You, and maybe one trusted backup. Keep the Administrator list short. Every extra Admin is another account an attacker could compromise to take over your site.
Super Admin (Multisite only)
Can: Everything an Admin can, plus manage the entire network of sites. Create and delete sites, install network-wide plugins and themes, manage network settings.
Use it for: Only exists on WordPress Multisite installs. On a standard single-site install there’s no Super Admin, and a regular Administrator has effectively all the power.
User roles at a glance
Here’s a quick comparison of what each role can do:
| Capability | Subscriber | Contributor | Author | Editor | Admin |
|---|---|---|---|---|---|
| Read the site | ✅ | ✅ | ✅ | ✅ | ✅ |
| Write own posts | ❌ | ✅ | ✅ | ✅ | ✅ |
| Publish own posts | ❌ | ❌ | ✅ | ✅ | ✅ |
| Upload media | ❌ | ❌ | ✅ | ✅ | ✅ |
| Edit others’ posts | ❌ | ❌ | ❌ | ✅ | ✅ |
| Manage categories & comments | ❌ | ❌ | ❌ | ✅ | ✅ |
| Edit pages | ❌ | ❌ | ❌ | ✅ | ✅ |
| Install plugins & themes | ❌ | ❌ | ❌ | ❌ | ✅ |
| Manage users | ❌ | ❌ | ❌ | ❌ | ✅ |
| Change site settings | ❌ | ❌ | ❌ | ❌ | ✅ |
Which role should you give someone?
The rule I always come back to: give the lowest role that lets the person do their job. You can always promote someone later, and “too restrictive” is a fixable inconvenience. “Too permissive” is how sites get broken.
- Guest writer or freelancer on a trial: Contributor
- Regular staff writer you trust to publish: Author
- Managing editor, editorial assistant, VA handling content: Editor
- Comment moderator: Editor (they need
moderate_comments) - Developer or agency doing one-time work: Administrator, removed as soon as the job’s done
- Client who just wants to log in and peek: Subscriber or Editor depending on scope
- You: Administrator, with a strong password and two-factor turned on
WooCommerce user roles
If you run a WooCommerce store, the plugin adds two roles on top of the default six. Most people find these by accident while managing customers and wonder where they came from.
- Customer: Auto-assigned when someone creates an account during checkout. Can view their own orders, addresses, and account details. Can’t see other customers or any store settings.
- Shop Manager: Full control over WooCommerce (products, orders, coupons, reports, tax settings) but cannot install plugins, switch themes, or change core WordPress settings. This is the role you give an ops person or store manager so they can run the shop without being an Admin.
Security: why you shouldn’t hand out Administrator accounts
The most common WordPress security mistake I see on client sites is too many Administrators. Someone joins the team, needs to do one admin-ish thing, gets an Administrator account, and nobody remembers to downgrade them a month later. A year in, there are eight Admins, half of them are old freelancers with reused passwords, and the site is one phishing email away from trouble.
A few practical rules:
- Cap your Admins. Ideally one or two per site. Everyone else gets Editor or below.
- Downgrade or delete old accounts. When someone leaves or finishes a project, change their role to Subscriber or delete them the same day.
- Audit quarterly. Go to Users → All Users and actually read the list.
- Use strong passwords and two-factor. Especially on any account with
manage_options. - Track changes. A plugin like Simple History or WP Activity Log tells you who did what, which is gold when something goes sideways.
- Give per-project Admins an expiration. If an agency needs access, add them as Admin, do the work, remove them. Don’t leave the account sitting there.
If you’re curious about specific hardening steps, I’ve also written about changing your WordPress login URL and tracking user last login dates, both of which pair well with tighter role management.
How to create a custom user role
If none of the defaults fit, say, you want an “SEO Editor” who can edit posts and manage redirects but nothing else, you can create a custom role.
The plugin route: Install User Role Editor. It gives you a UI to duplicate an existing role, rename it, and toggle capabilities on or off. For most site owners this is the fastest way.
The code route: Use add_role() in your theme’s functions.php or a custom plugin. Here’s the pattern:
add_role(
'seo_editor',
__( 'SEO Editor' ),
array(
'read' => true,
'edit_posts' => true,
'edit_others_posts' => true,
'edit_published_posts' => true,
'publish_posts' => true,
'manage_categories' => true,
'upload_files' => true,
)
);Run this once (inside a conditional or on plugin activation). It writes the role into the database, so you don’t need to leave the code running forever.
FAQ
What are user roles in WordPress?
User roles are named sets of permissions that control what each user can do on your WordPress site. WordPress ships with six defaults (Subscriber, Contributor, Author, Editor, Administrator, and Super Admin for Multisite), and plugins can add their own (like WooCommerce’s Customer and Shop Manager).
What is the role of an Administrator?
Administrators have full control over a single WordPress site. They can install and delete plugins and themes, add and remove users, change every setting, edit theme files, and run core updates. Limit this role to one or two trusted people.
What can Editors do in WordPress?
Editors can publish, edit, and delete any post or page, regardless of who wrote it. They can also manage categories and tags, moderate comments, and upload media. They cannot install plugins, change themes, or manage other users.
What’s the difference between Author and Contributor?
An Author can write, edit, publish, and delete their own posts, and upload media. A Contributor can write and edit their own posts but can’t publish them or upload media; an Editor or Administrator has to review and publish on their behalf.
Is Super Admin the same as Administrator?
Not quite. Super Admin only exists on WordPress Multisite installs and has power over the whole network of sites. On a standard single-site install, Super Admin doesn’t exist and a regular Administrator effectively has full control of that site.
How do I change a user’s role?
Go to Users → All Users in your WordPress admin. Check the box next to the user, choose a new role from the “Change role to…” dropdown, and click Change. You can also click into an individual user’s profile and change it there.
How can I prevent random people from registering on my WordPress site?
Go to Settings → General in the WordPress admin and uncheck “Anyone can register”. While you’re there, set the “New User Default Role” to Subscriber so that if you ever re-enable registration, new accounts default to the least powerful role.
Can I create my own WordPress user roles?
Yes. Use a plugin like User Role Editor for a UI-driven approach, or use add_role() in your functions.php or a custom plugin if you prefer code. See the custom role section above for an example.
Bottom line
For 95% of sites the six default roles (plus WooCommerce’s two if you’re running a store) cover every scenario. Give people the lowest role that lets them do their job, keep the Administrator list short, and run through your user list every few months to delete anyone who shouldn’t be there anymore. That handles most of what role management is actually about.
