WordPress User Roles Explained: Who Should Have Access to What (2026)
Understanding WordPress user roles is the difference between a well-run site and a security disaster waiting to happen. Every person who logs into your WordPress site has a role — and that role determines exactly what they can see, edit, delete, and break.
WordPress ships with six built-in roles, each with a specific set of permissions. Give someone too much access and a compromised account can take down your entire site. Give too little and your team can’t do their jobs. This guide explains every role, when to use each one, and the security practices that keep your site locked down.
⚡ Key Takeaways
- WordPress has 6 default roles: Administrator, Editor, Author, Contributor, Subscriber, and Super Admin (multisite)
- Follow the Principle of Least Privilege — give each user only the access they need, nothing more
- 81% of WordPress attacks are based on stolen or weak passwords — fewer admin accounts = smaller attack surface
- Use Editor for content managers, Author for writers, Contributor for guest writers
- Audit your user list quarterly — remove inactive accounts and verify admin access
What Are WordPress User Roles?
WordPress user roles are a permission system that controls what each logged-in user can do on your site. As the official WordPress documentation explains: “WordPress uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site.”
Each role is a bundle of capabilities — specific actions a user is allowed to perform. “Publish posts” is a capability. “Install plugins” is a capability. “Manage users” is a capability. Roles group these capabilities into logical packages based on responsibility level.
81%
of WordPress attacks are based on stolen or weak passwords
Source: Sucuri / WordPress Security Statistics 2025
That stat is why roles matter. If a compromised account only has Contributor access, the damage is limited. If it has Administrator access, the attacker owns your entire site — plugins, themes, database, everything.
The 6 Default WordPress User Roles
Here’s every default WordPress user role, ordered from most powerful to least.
1. Administrator — Full Site Control
Can do: Everything. Install and delete plugins, change themes, manage all users, edit any content, modify site settings, update WordPress safely core, and access the database through plugins.
Assign to: Site owners and lead developers only. Keep this to 1-2 people maximum. A compromised admin account is a complete site takeover — the attacker can install malware, create backdoor accounts, and exfiltrate your entire database.
2. Editor — Content Boss
Can do: Publish, edit, and delete ANY post or page (theirs or anyone else’s). Manage categories and tags. Moderate comments. Upload media.
Cannot do: Install plugins, change themes, manage users, or access site settings.
Assign to: Content managers and editorial leads who need full content control but should never touch the technical side of the site.
3. Author — Independent Writer
Can do: Write, edit, publish, and delete their own posts only. Upload media files.
Cannot do: Edit or delete other people’s content. Manage pages. Moderate comments.
Assign to: Regular staff writers and trusted bloggers who can publish without editorial review.
4. Contributor — Write, Can’t Publish
Can do: Write and edit their own draft posts. Submit posts for review.
Cannot do: Publish posts, upload media files, or edit published content.
Assign to: Guest writers, freelancers, and anyone whose content needs review before going live. This is the safest role for external contributors.
5. Subscriber — Read Only
Can do: Log in and manage their own profile. Read content that requires login.
Cannot do: Write, edit, or publish anything.
Assign to: Registered readers, membership sites, comment-only users. This is the default role for new user registrations.
6. Super Admin — Multisite Network Control
Can do: Everything an Administrator can do, plus manage all sites in a WordPress WordPress Multisite network — create/delete sites, manage network-wide plugins and themes, and add/remove users across the entire network.
Assign to: Only the network owner. This role only exists on Multisite installations.
🏴☠️ PIRATE TIP: The difference between Author and Contributor trips up most people. Author can publish and upload files. Contributor can only submit drafts for someone else to review and publish. If you’re giving access to someone you don’t fully trust with live content, Contributor is always the safer choice.
When to Assign Each Role (Quick Reference)
| Scenario | Role | Why |
|---|---|---|
| Site owner / lead developer | Administrator | Needs full control over plugins, themes, settings |
| Content manager / managing editor | Editor | Manages all content, can’t break site settings |
| Staff writer / regular blogger | Author | Publishes own content, can’t touch others’ |
| Guest writer / freelancer | Contributor | Writes drafts only, needs editorial approval |
| Registered reader / commenter | Subscriber | Profile access only, no content creation |
| Store manager (WooCommerce) | Shop Manager | Full store control without admin-level site access |
💡 Running a WooCommerce store? The Shop Manager role gives full store control (products, orders, coupons, reports) without Administrator access. Browse the Arsenal for WordPress security and management tools.
Security Best Practices for User Roles
Misconfigured WordPress user roles are behind some of the biggest WordPress breaches. In 2025 alone, privilege escalation vulnerabilities affected over 1.1 million sites — including incidents with ACF Extended (100,000+ sites), WP Statistics (600,000+ sites), and Post SMTP (400,000 sites).
Here’s how to protect yourself:
Follow the Principle of Least Privilege
Patchstack defines it clearly: “Users should only have access to the information and resources necessary for their legitimate purposes.” If someone doesn’t need to install plugins, they don’t need Administrator access. Period.
Minimize Administrator Accounts
Every admin account is a potential entry point for full site takeover. Keep admin count to 1-2 people. Everyone else gets Editor or below.
Audit Users Quarterly
“Reserve the Administrator role for site owners and lead developers only. Conduct a quarterly audit: review the list of users, remove stale accounts, confirm admins, review custom roles, and check logs for privileged actions.”
— SiteCare, WordPress Management Agency
Old contractor accounts, former employees, test accounts — they’re all attack vectors if they still have active logins. Remove what you don’t need.
Enforce Strong Passwords and 2FA
With 81% of WordPress attacks using stolen passwords and Wordfence blocking over 100 billion credential-stuffing attacks, strong passwords aren’t optional. Require two-factor authentication for all admin and editor accounts at minimum.
Common User Role Mistakes
- Making everyone an Administrator — The most dangerous mistake. Your content writer doesn’t need access to install plugins. Your store manager doesn’t need access to update WordPress core. More admins = more attack surface.
- Sharing login credentials — “Just use my login” means you can’t track who did what, can’t revoke access individually, and can’t enforce role-based security. Create separate accounts for every person.
- Never removing old accounts — That freelancer who wrote three blog posts in 2024? Their Author account is still active. That developer who set up your site? Their admin account is still there. Audit and remove.
- Using Author when Contributor would work — Contributors can’t publish or upload files. If someone’s content needs review before going live, Contributor is the right role. Author gives publishing power you may not want to grant.
- Ignoring WooCommerce’s Shop Manager role — Many store owners give their manager full Administrator access when Shop Manager covers everything they need for day-to-day store operations.
🏴☠️ PIRATE TIP: Need custom roles beyond the defaults? The free User Role Editor plugin lets you create roles with exactly the capabilities you need — no coding required. Want to give someone Editor access but without the ability to delete posts? Custom role. Two minutes.
FAQ — WordPress User Roles
What are the default WordPress user roles?
WordPress has 6 default roles: Administrator (full control), Editor (manages all content), Author (publishes own posts), Contributor (submits drafts for review), Subscriber (profile access only), and Super Admin (multisite network control). Each role has progressively fewer permissions.
What is the difference between Author and Contributor in WordPress?
Authors can write, publish, and delete their own posts and upload media files. Contributors can only write and edit draft posts — they cannot publish, cannot upload files, and their posts require an Editor or Admin to review and publish. Use Contributor for anyone whose content needs editorial approval.
How many Administrator accounts should a WordPress site have?
Keep Administrator accounts to 1-2 per site. Every admin account is a potential entry point for full site takeover if compromised. Give content managers the Editor role and developers only temporary admin access when needed. The Principle of Least Privilege says: give each user only the access they need.
Can I create custom user roles in WordPress?
Yes. Use the free User Role Editor or Members plugin to create custom roles with specific capabilities. Developers can also create roles programmatically using WordPress’s add_role() function. Custom roles let you build exactly the permission set your team needs.
What is the default role for new WordPress users?
The default role is Subscriber, which only allows users to log in and manage their profile. You can change this at Settings → General → New User Default Role. For most sites, Subscriber is the safest default — never set it to Administrator or Editor.
⚔️ Pirate Verdict
WordPress user roles aren’t complicated — there are only six of them. But getting them wrong has real consequences. Every unnecessary admin account is an unlocked door. Every shared password is a key you can’t revoke. Every forgotten contractor account is a ghost in your system. The fix is simple: give each person the minimum access they need, audit your users quarterly, enforce strong passwords with 2FA, and use the Contributor role more than you think you should. Your site’s security starts with who has the keys.
Lock Down Your Site With Proper Roles
Now you know every WordPress user role, what each one can do, and the security practices that protect your site. The setup takes five minutes in your WordPress dashboard under Users. The quarterly audit takes five more. That’s ten minutes per quarter to dramatically reduce your attack surface.
For more WordPress fundamentals, visit the AI Or Die Now homepage or explore the Arsenal.
How many admin accounts does your site have right now? Be honest — and tell us in the comments if that number just dropped after reading this.