Getting the most out of WordPress users

WordPress allows us to have multiple website users as well as users who access to different things. In this post we look at how users can be setup and the security implications of different user levels.

Out-of-the-box WordPress comes with a number of different types of users. These user types, or roles as they are called in WordPress, are used to allow certain users to have access to certain things and to be able to complete different tasks. Lets have a look at how users work is WordPress.

The WordPress user listing screen allows you to manage your sites users.

User roles and capabilities

To understand how users work in WordPress we need to look at how users are structured and how WordPress knows what a particular type or user is allows to do.

User capabilities

This is where user roles and capabilities come in. A user capability is a list of things that a user is allowed to do. For example a user may be given a capability called ‘publish_posts’ which allows them to publish a post within WordPress. Similarly a user may have a capability called ‘delete_posts` which will allow to delete any posts they have created.

A user is only allowed to carry out a specific action in WordPress if they have that capability assigned to them. If a user does not have the correct capabiltiy assigned to them to complete a specific action then they are simply not allowed to do that.

User roles

To make life easier to us, we have user roles in WordPress. These are simply a collection of user capabilities which means that when we assign a role to a user, they get assigned all the capabilities that are defined for that role, rather than having to add capabilities in turn for each user.

WordPress has the following user roles, which are summarised below with a brief overview of the main capabilities that a user can action:

  • Super administrator – this role is only present on a WordPress multisite installation. A super admin can manage all of the users and network setting in a multisite install of WordPress
  • Administrator – this is a user with all the capabilities in WordPress. They can basically do anything in the WordPress install including adding and removing users and plugins as well as changed site settings and options.
  • Editor – an editor can edit all content including publishing new content, editing other users posts. However they can add users and change site settings including adding or removing plugins and themes.
  • Author – an author can publish content on the site and edit their own content, but they cannot edit other users content including publishing it.
  • Contributor – this role is similar to an author however a contributor cannot publish content. They can write and edit their own content but they cannot publish it. It is marked as pending review and it needs an editor or administrator to publish the content.
  • Subscriber – this role only has the ‘read’ capability which means they can read content on the front end of the site and they have a profile page in the WordPress admin. This role is generally used when you want users to have a login to a site but you don’t want them to be able to do anything other than read the sites content.

It is worth knowing that although an editor roles for example has all the capabilities of an author, and contributor and a subscriber roles are not hierarchical and this does not have to be the case. As a developer you should always check for a capability rather than a role.

User Role Editor Plugin

There are a number of open source plugins to help manage roles and capabilities in WordPress. All have their advantages and disadvantages however the User Role Editor plugin is a good starting point.

Find out more about the user editor plugin

Creating custom roles and capabilities

What makes WordPress really flexible is that we can edit all of the roles and capabilities and make use of WordPress being an extensible platform. For many sites the default WordPress roles make no sense. Lets take a look at an example.

One of our clients (VGC Group) wanted to advertise some jobs on their site. To assist them with this we created then a custom content type (called a custom post type in WordPress) where they could simply add new jobs. They wanted the system to work so that they could have a user who was in charge of looking after the jobs only. This meant that when this user logged in, all they could see in the WordPress admin screens was the normal dashboard screens, their profile page and the jobs content type. They would be able to have access to all jobs, to edit, publish and delete them.

Due to the flexibility of the WordPress roles and capabilities system we were able to create a WordPress roles with the correct capabilities so this user could only see those items and not be able to edit or see any of the other content on the site. This is really handy as we can set WordPress up so that users only see and can only edit and our publish to parts of the site that they are responsible for.

WordPress users and security

We are alway conscious of security at Highrise Digital and WordPress users is one of the first places security should be thought about. The golden rule with WordPress users is to always give a user the fewest capabilities as is necessary to complete the tasks they need to.

For example I am writing this post logged into WordPress as an author role. Of course I need to be an administrator on the site to do things like updates and manage settings and options etc. however right now all I need to be able to do is write this post and publish it, hence I am logged in with a user that gives me those capabilities and no more.

It is often tempting to simply add everyone as an “administrator” as you may think they might need that role at some point. However being an administrator means that the user can do anything, including anything bad. Therefore if these accounts are compromised then it could lead to problems. Therefore try have as few administrator accounts as possible on your site.

You can find our more about security in our blog posts about security tips for busy website owners here.

Do you need custom WordPress users?

We can help you customise the WordPress users on your site.

Custom WordPress development

We have built a number of sites where we have made use of customising the roles and capabilities used by WordPress users to make the user editing and publishing experience and workflow effortless. If you have these needs then why not get in touch.

In summary

WordPress has a very good built in user management system that allows us to create different users who have specific roles assigned to them. This allows the user to only carry out the tasks they are allowed to, rather than giving them access to everything.

Additionally we can customise the different roles and capabilities on the site to make them appropriate for the needs of the site and the sites content.

Lastly it is good practice to make sure that a user has the lowest level of user (in terms of the capabilities the user is assigned) that is needed to carry out the tasks they are completing. Limiting the number of administrator users on a site is a good thing.

About the author

Mark is the lead WordPress developer at Highrise Digital. He has been working with WordPress for over 15 years, way back to 2005. He focuses on back-end development, integrating the website build with WordPress so everything can be editable.