WordPress User Roles & Permissions Explained (2020)

Why WordPress User Roles Matter

Every person who interacts with your WordPress site beyond simply reading it—whether they're buying a product through WooCommerce, enrolling in a course on LearnDash or TutorLMS, or even leaving a comment—gets added as a WordPress user. That might sound alarming, but WordPress handles this with a layered permission system so that a shopper can't accidentally (or intentionally) start publishing blog posts.

Understanding user roles becomes especially important once you start adding functionality like e-commerce, membership areas, or online courses. These plugins create their own registration flows, and behind the scenes every new sign-up lands in the same Users panel inside your WordPress dashboard. Knowing what each role can and can't do helps you keep your site secure while still giving people the access they need.

The Five Default WordPress Roles

Out of the box, WordPress ships with five user roles, each with progressively more power.

**Subscriber** is the most limited role. Subscribers can manage their own profile and leave comments, but that's about it. This is the role most of your general audience will fall into if they create an account on your site.

**Contributor** takes things a step further. Contributors can write and edit their own draft posts, but they cannot publish anything. Every piece of content they create has to be approved by someone with a higher permission level before it goes live.

**Author** is where publishing power kicks in. Authors can write, edit, and publish their own posts—including uploading media—but they have zero control over anyone else's content. If a Contributor asks an Author to approve their draft, the Author simply doesn't have the permission to do it.

**Editor** is the newsroom manager of WordPress. Editors can create, edit, and publish their own posts, and they can also approve, edit, and manage posts written by Contributors and Authors. Think of the role like a newspaper editor who oversees everything that gets published.

**Administrator** sits at the very top. Admins can do literally anything on the site: change settings, install plugins, create or delete user accounts, and even reset other people's passwords. Because of that power, you should hand out Administrator access very conservatively.

Adding and Managing Users

To manage users, head to the **Users** section in your WordPress sidebar. You'll see every account that exists on your site listed there. Clicking **Add New** lets you manually create an account by entering a username and email address (first name, last name, and website are optional).

When you create an account manually—say, for a plugin developer who needs temporary access to troubleshoot an issue—you can click "Show Password" to reveal a generated password and share it directly. This is handy because you can set up a throwaway account without needing the developer's real email address. Once they're done, you simply delete the account.

For most real-world scenarios, though, users won't see this screen at all. Plugins like WooCommerce and LearnDash handle registration through their own front-end forms, and WordPress automatically sends the new user an email prompting them to set a password.

When to Grant Administrator Access

Giving someone Administrator access is the most common source of anxiety for WordPress site owners, and for good reason—an admin can destroy your entire site if they don't know what they're doing or have bad intentions.

That said, premium theme and plugin developers will often need admin-level access to troubleshoot issues on your behalf. If you've purchased a product from a reputable, well-known company, granting temporary Administrator access is generally safe. These companies care far more about their reputation than anything on your individual site, so intentional harm is essentially off the table.

The best practice is to create a dedicated admin account for the support team, let them do their work, and then delete or demote the account as soon as the issue is resolved. This keeps your exposure window as small as possible.

Custom Roles and Plugin-Added Roles

WordPress isn't limited to those five default roles. Many plugins quietly add their own roles the moment you activate them. WooCommerce, for example, creates **Customer** and **Shop Manager** roles. LearnDash adds a **Group Leader** role. These custom roles come pre-configured with the specific permissions each plugin needs to function properly.

If the built-in and plugin-provided roles still don't cover your needs, a plugin like **User Role Editor** lets you create entirely custom roles with a hand-picked set of permissions. This is useful for larger teams where you might want someone who can manage media uploads but not touch published posts, or someone who can moderate comments without accessing the theme settings.

Controlling Who Can Comment

By default, WordPress lets anyone leave a comment on your posts—no login required. Even with a solid anti-spam plugin like Antispam Bee filtering out the junk, you might want an extra layer of control.

To require users to log in before commenting, navigate to **Settings → Discussion**. Under "Other comment settings," check the box labeled **Users must be registered and logged in to comment**. This adds a small friction barrier that discourages drive-by spam and, as a bonus, captures a verified email address for every commenter. That email can be valuable if you ever need to follow up on a conversation or build a relationship with engaged readers.

Watch the Full Video

Prefer watching to reading? Check out the full video on YouTube for a complete walkthrough with live demos and commentary.