One of the great things about WordPress is that you can assign different user roles to the various different people who work on your website, with each role having different permissions of what they can and cannot do on your website.

Just like you wouldn’t give just anyone the keys to your house, or your car, you don’t want to give everyone full access to your website.

I know it’s tempting for a lot of small business owners to simply share their main WordPress account login with whoever needs some sort of access to their website… maybe it feels easier/faster to just share that one account, because I know a lot of folks who do it.

But this is not the best way to go about managing your website since it can open you up to security risks if you do that.

What should you be doing instead?

You *should* be creating individual accounts for the people you work with and giving them only the level of access that they need for the responsibilities they have on your website — no more, no less.

So let’s look at the user roles you can choose from.

WordPress User Roles

There are 5 WordPress user roles that are available by default:

  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

You can see a full comparison chart of each role’s permissions here.

But in this post I just want to highlight the key points for each role.


Administrators have full control on your site with no limits. They can add, edit and delete all posts and pages; they can install, edit and delete plugins and themes; and they can even add, edit, or delete users (even other admins!). You can understand why you wouldn’t want to give just anyone the ability to delete your user admin rights!

Who should be assigned this role?

This user role should only be given to people who *really* need full access to your site, and those that you completely trust. People who may need this access are your website developer or someone else on your team who is charge of keeping your WordPress software and plugins up to date.

You should not give this level of access to someone who only needs to post blog articles or update other content on your website. Even your team members who have the best of intentions may accidentally make updates to the site that you don’t want.

For example, a business owner I personally know had an assistant with administrator level access who decided to help by running WordPress updates even though she’d been told to leave that to the web development team.

She ran the WordPress updates, thought everything looked fine and moved on with her day… but it turned out a plugin update had broken part of the website, which showed up a number of hours later in the form of the entire website going down.

There was absolutely *no* malice in this case and she had nothing but good intentions… but the result was still a broken website. If she had been given only the “Editor” access she required, it wouldn’t have happened.

Which brings me to the next role…


An Editor has full access and control of your content only. Editors may add, edit, and delete pages and posts, and they have full access to your media library (so they can upload images and files), but they can’t install or update plugins or themes. Editors also cannot add, edit or delete other user accounts.

Who should be assigned this role?

Anyone on your team who needs to update *content only* should be given Editor level access. For example, this might include your assistant who manages your website content and blog, or your SEO person who needs access to edit your page titles and meta data.


An Author role can add, edit or publish posts, but not the other page content on your website. They can also upload files and images to your media gallery and delete their own posts. However, like Editors, they won’t be able to change your settings, update plugins or themes, and they can’t edit user accounts.

Who should be assigned this role?

The Author role is suitable for a guest blogger whose work you don’t need to approve. Keep in mind that since Authors can delete their own posts, you could potentially lose content if they ever decided to remove their posts from your site in the future.

Author level access would also be suitable for admin assistants or interns who are only responsible for adding and editing blogs on your site.


A Contributor only has the ability to add, edit or delete their own posts until you choose to publish the post, and after that, they no longer have the ability to change the posts. In this case, these users don’t have the ability to upload files, so it’s important to note that they won’t be able to add images to any blog posts being prepared.

That said, there are user management plugins like User Role Editor or Capability Manager Enhanced that enable you to change the permissions on default roles.

Who should be assigned this role?

The Contributor role would be suitable for a guest blogger whose work you need to approve before being published.


And finally, we have the subscriber role, which only has access to their own user profile, and no access to any other areas of your website.

Who should be assigned this role?

This is a common role to use if you have a website that requires users to login first before they can view content or leave a comment.

For example, in my own courses and membership sites, business owners need to be a paid subscriber in order to have access to view the content contained within the member areas of those websites.

Other User Roles

There are a few types of other user roles, for example if you use WooCommerce, you will have additional roles including Customer and Shop Manager. Also, other plugins may create new user roles such as Wholesale Buyer.

I’m not going to go into detail about those roles that in this post, just be aware that there are other types of roles that can exist when you have extended the functionality of your WordPress website beyond the default installation.

How to Create New Users

Now that you know what the different user roles are, you may be ready to create some new users for your own team members, so let’s talk about how you can do that.

When you’re logged in to your WordPress website as an admin, you simply go to Users > Add New and then fill in the required files.

The username and email are required fields, while First/Last Name and website are optional.

If you want to let the new user know directly about their login info, perhaps by personally emailing their login details to them, just click on “Show Password” to see the new user account’s password.

You can also choose whether to send the user an automated notification of their new account… leave it checked off to send an email, or uncheck it if you intend to email them directly.

The role will be set as Subscriber by default, but you can select another role from the drop down menu.

Once you’ve added all your user information, click the blue “Add New User” button.

How to Edit Existing User Roles

Do you already have user accounts set up that currently have the wrong role assigned to them? It’s easy to modify their permissions!

Go to Users and then click on the user you want to modify.

Once you have the user profile open, simply scroll down to the field titled “Role”, click on the drop down menu and select the appropriate new role.

Then scroll to the bottom of the page and click the blue “Update User” button.

Voila, all done! That user now only has the permissions that come with the new role you’ve assigned.

Keep Your User List Clean

As with all areas of your website, spring cleaning is important (or fall cleaning, or winter cleaning, you get the drift!). Do an audit of your existing user lists by reviewing users currently assigned to administrator, editor, author and contributor roles. Are there any that are no longer needed?

Is there anyone currently with administrator access that should only have editor access or something with even fewer permissions?

Not that long ago, I did a WordPress security review for a client and discovered they had 7 users with access to the site and *ALL* of them were set as admins (ack!). Not only that, the list included people who hadn’t needed access to the website for many years… there were names on there that the client no longer even recognized!

Be sure to give your own website’s user list a review now to make sure it is clean and tidy.

At the end of the day, it’s important to make sure that you are giving your users only the capabilities they truly require, and that administrative access is limited to only those who need it.

And as always… make sure you have a backup of your site! If the worst should ever happen and your website is compromised (whether intentionally or accidentally), you’ll be awfully glad that you had a backup in place!

Get the Guide

If you’re looking for guidance on how to plan your business website, be sure to download a copy of the Ultimate Guide to Planning Your Next Website.

Get Your Copy