security concept image

Navigating WordPress user roles to maximize site security

5 min read
Lorraine Akemann

Managing a company website is a team effort. WordPress is a popular platform that allows each person on the team to fulfill a specific role for maintaining the site. These levels of access are called WordPress user roles.

By understanding and implementing user roles, companies can manage their website operations without compromising site security.

In the hectic daily operations of a small company, it might be tempting to share website passwords with co-workers for quick access to complete a task. I’d like to emphasize why it’s worth the effort to discourage password sharing and instead assign WordPress user roles according to specific job functions.

Michiel Heijmans, partner at Yoast (a popular WordPress SEO plugin), says is well:

“Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles and you’ll greatly reduce your security risk.”

WordPress Page Editor on a Laptop

Types of WordPress user roles

The first step is to understand the different user roles and capabilities, and how they relate to business functions. Although it is possible to customize WordPress user roles with code adjustments or plugins, these are the five default user roles for a single Wordpress site.


The WordPress Administrator has full access and control over the WordPress Dashboard. The administrator can install plugins, adjust themes, add users, manage widgets, and publish posts and pages. The administrator can do everything related to creating, managing and deleting the WordPress site. In instances when there are multiple WordPress sites, there is a role for Super Administrator who has control over the entire network.

Ideally, a WordPress Administrator is a web developer with knowledge of WordPress plugins and potential plugin conflicts. They also know what the marketing and editorial departments need in terms of site menus and sidebars, since managing the menus and sidebars are administrative functions by default.


The WordPress Editor is the site content manager. They can set up categories, assign authors, and publish posts and pages. They also have the ability to delete content.


WordPress Authors can write and publish their own content, including files and images, but cannot publish anyone else’s content. Authors can also delete posts, but only their own.


WordPress Contributors can write their own content, but cannot publish to the site. Contributors cannot upload files or images. Contributors cannot delete or edit anything they’ve contributed.


Subscribers are the most limited out of all user roles. Aside from being able to manage their own user profile, the rest of their access to the site is read-only.

Setting up new users in WordPress

From the WordPress Dashboard, site administrators can select Users > Add New, and then assign the appropriate user role.

WordPress A New User Screen With Highlight on User Roles

Advantages of assigning user roles

1. Avoid plugin conflicts by having a single WordPress Administrator

Many features on a WordPress site are built out by installing plugins. Plugins are self-contained software modules that perform specific functions on a WordPress site. Sometimes, if two plugins are installed that perform the same task, conflicts can occur. This could happen when multiple people have access to the admin password, and install plugins without coordinating with each other.

Having a single WordPress Administrator with a global view of the site’s functionality can minimize plugin conflicts and maximize site security.

2. Keep content secure by having only the necessary number of experienced Editors

Two user roles with the ability to delete content are Administrator and Editor.

Too many people with the ability to delete content could lead to security holes, whether intentional or not.

Consider limiting the number of Editors to only an essential number for getting the site work done, and make sure every Editor is experienced with the WordPress dashboard.

In an ideal world, I would have only one Editor per site who worked closely with the Administrator. This way, security of the site’s content could be centralized with two trustworthy and experienced people. If they are a good team who communicates regularly, the Editor can also enlist the Administrator’s help on arranging menus and sidebars based on the site’s most current content needs.

3. Keep generating new content

Creating new content for a single site means lots of writing and publishing, especially if new content is being created on a daily basis. By having a team of writers in the form of Authors or Contributors, companies can generate volumes of new content directly into WordPress without risk to the rest of the website.

Authors and Contributors could be the largest number of users on the site, powering new posts while the Administrator and Editor can focus on site development and overall content strategy.

Does that sound like a good plan? Great. Next time a new person joins your team, think about their business role, and then their WordPress user role respectively. Implementing user roles could make a difference in the overall quality and security of your website.