How do I manage user roles and permissions in WordPress?
Applies to: WordPress.org (self-hosted)
Last updated: May 2025
Problem
You want to allow others to access your WordPress site—for writing posts, managing content, or performing admin tasks—but you’re unsure how to assign appropriate access levels.
Solution
WordPress has a built-in user role management system, which allows you to assign specific capabilities (permissions) to each user. You can manage these roles through the dashboard or use plugins for more advanced control.
Default WordPress User Roles
| Role | Permissions |
|---|---|
| Administrator | Full access to everything: settings, themes, plugins, users, content |
| Editor | Manage all posts, pages, and media (including others’ content) |
| Author | Create, edit, publish, and delete own posts only |
| Contributor | Write and edit own posts, but cannot publish |
| Subscriber | Can only read content and manage their own profile |
Note: Only the Administrator role can install plugins, manage users, or change site-wide settings.
Step-by-Step: Add or Manage a User
1. Add a New User
- Go to Users > Add New in your dashboard
- Fill out the required fields:
- Username (cannot be changed later)
- Email address
- Optional: First name, last name, website
- Set a password or allow WordPress to generate one
- Choose a role from the dropdown
- (Optional) Check “Send User Notification” to email login info
- Click Add New User
2. Edit or Change a User’s Role
- Go to Users > All Users
- Hover over a user and click Edit
- Scroll to the Role dropdown to change it
- Click Update User
Optional: Use a Plugin for Advanced Role Control
For more granular permission control, use a plugin like:
- User Role Editor – Modify or create custom roles and control capabilities
- Members by MemberPress – Role management + content restriction
- WPFront User Role Editor – Lightweight and easy-to-use
With these tools, you can:
- Create custom roles (e.g., “Client”, “Project Manager”)
- Grant or revoke specific capabilities (e.g., moderate comments, access plugin settings)
Security Tips
- Give users only the access they need
- Avoid assigning Administrator unless absolutely necessary
- Use Two-Factor Authentication (2FA) for admins and editors
- Regularly audit user accounts to remove inactive users
