WordPress Roles, Users and Permissions « DomainFactory Blog

Like most CMS systems, WordPress offers the option of creating different users and granting them specific permissions by assigning them a role. This makes it possible to give every user access to the functions that are useful for them. Individual WordPress roles can also be restricted, which minimizes security risks and the risk of potential operating errors. In this article you will learn what you should consider.

The essentials in brief:

  • Over WordPress roles control user access rights.
  • In the WordPress user management you can assign roles and users.
  • As an author, users can only manage specific pages in WordPress.

WordPress Roles: Create user

You can add a new user in the backend in the WordPress user management under the navigation point “User”.

When filling out the mask, certain safety-related aspects must be observed. Because one of the most effective ways to improve WordPress security is by using smart usernames and strong passwords.

Create new users in the WordPress user management.

User name

Choose a name that cannot be deduced from the user’s real name. For hackers, the username is the first step towards the goal – once it is known, only the password needs to be cracked.

💡 Our tip: In order to increase WordPress security, user names should not be freely visible – neither via the signature of contributions (see also the next but one section on first and last name), nor via the query /?author=1, 2, 3 etc. The WordPress plugin Edit Author Slug helps here, with which the so-called author base can be changed and the user name stored there can be replaced with any word.

E-mail address

The email address stored here is used by WordPress to send the new user the password and login. Warning: An email address can only be used once in a WordPress installation. If you want to create an additional editor account as an administrator (see section “Administrator”), you will need a second email address.

First and Last Name

Mandatory fields for creating a user are only username, e-mail and password. However, you should also include the user’s first and last name, otherwise their username will appear under their posts. Hackers could then use this for login attempts. If the user does not want their posts to be signed with real names, you can also enter a nickname in their profile (more on this in the “Edit user” section), which will then be displayed under the posts instead of the real name.


This field is not mandatory and not relevant for WordPress security. For authors with their own website or guest authors, however, it offers the possibility of creating links to their own site.


WordPress automatically generates a strong password and sends it to the new user’s email address. When logging in for the first time, he will then be asked to enter a new password.

Important: Support your users in choosing a password. In a separate article we will go into more detail on the topic of “secure passwords”.

WordPressuser management

As a WordPress admin, you can make changes to a user profile at any time. In the WordPress user administration, select the entry “Edit” under the user name. In the corresponding mask you can now, for example, add or change real names, enter social media addresses or change the role and password. You can also enter a nickname here.

A user’s profile settings

The only thing that cannot be changed in the WordPress user management – nor anywhere else in the backend – is the username. The easiest way to get a new username is to create a new account. This applies in particular to the administrator.

The WordPress user roles and their permissions

The most important question in user administration is: who needs which functions and rights for their tasks? WordPress comes with five predefined user roles: Administrator, Editor, Author, Contributor, and WordPress rights management is: Who needs which functions and rights for their tasks? The five standards WordPress user roles include: Administrator, Editor, Author, Contributor, and Subscriber. In this way, even complicated assignments of tasks can be well covered. If in doubt, assign fewer permissions first – if problems arise, you can change the user role with just a few mouse clicks.


The administrator has all permissions for the website and full control over content, settings, themes, plugins, imprint, etc. He regulates WordPress rights management and can create or delete new users at any time – including other administrators.

The assignment of an administrator role should therefore be well thought out, because it is a free pass for any changes and for potential manipulations. It is recommended to only assign one administrator role for each website and to only use it for administrative work.

A special case is the Super Administrator. However, this role is only available if WordPress is configured as a multisite system. The Super Administrator then has all rights to all websites in the system.

Our tip: It is recommended for administrators to create an editor account for non-administrative work in addition to the admin account. In this way, you can be sure that the basic functionalities or designs of the website are not accidentally changed when working on content or when performing editorial tasks. If you want to change the author of a post or assign pages to a user in WordPress, an editor account is sufficient. In addition, a user with an editor login can also blog on the go via WLAN hotspots, Internet cafés or WLAN access points in hotels and with minimized risk. If the editor’s access data is hacked, much less damage can be done with this account than with a hacked administrator account.


Editors do not have administrative rights, but are allowed to do everything necessary to create and manage content. They may:

  • Create and publish pages and posts
  • Upload files, images and videos
  • Delete comments and posts
  • Manage categories and keywords (tags).
  • Edit and activate other users’ articles
  • Change the WordPress author
  • Assign pages to a user in WordPress


An author is a WordPress user who only edit certain pages. Authors cannot edit, delete, or publish other users’ pages or posts. However, you may:

  • write and publish your own articles
  • Upload files/images/videos
  • Publish comments on your own posts


Contributors can create and edit posts, but cannot publish them. Publishing is only possible by an editor or administrator. Employees can no longer edit posts that have been published.


Of all the WordPress roles, Subscriber has the fewest privileges. Subscribers can only customize their own profile. The Subscriber role is great for giving WordPress users only specific pages or read-only access to private blogs.

More WordPress roles

In addition to the standard profiles, there are other predefined WordPress profilesUser roles provided, for example, by installing certain plugins. The WordPress plugin Yoast SEO brings the roles “SEO Editor” and “SEO Manager” into play. Meanwhile, shop systems often offer specific WordPress user roles for customers and shop managers. This offers further options in WordPress rights management.

Extend the WordPress user management

If you would like to further customize and differentiate the roles and rights of your users, there are a number of plugins available for this, including User Role Editor, Members, Role Scoper or PublishPress Permissions.

These plugins allow you to more precisely determine which content of the website is visible to which roles. You can assign multiple roles to a user or specify in detail which user should have access to the most important areas and functions in the backend.

Photo credit: cover photo by Tumisu on Pixabay

End of article

Previous post How to fix the error connecting to a database in WordPress
Next post Use WordPress offline > kundenbenefit.ch