How to Set Up WordPress User Roles

by | Oct 1, 2018

When you set up your WordPress website, you decide who else can login and what role they play on the site.  Each user – WordPress has five standard roles – is provided certain permissions.  In other words, you control what they can and cannot do on the site.

When WordPress is installed, it automatically creates an Administrator role based on the user name from your hosting account.  An admin role has complete control over the WordPress dashboard.

It’s important to make sure that the hosting account is in your name – never let it be set up by a contractor, web company or agency.  If things go south in that relationship, you could lose access to your own website.

WordPress User Roles

The default user roles in WordPress are set up for different people to complete different tasks. There is one head honcho – (that’s you – the administrator) and other users who can only access what they need to do their job.  The five standard roles are:

  • Administrator
  • Author
  • Editor
  • Contributor
  • Subscriber

Each user will see a unique dashboard menu that is specific to their role’s requirements.  All users can manage their own profiles but otherwise are limited to the menu items needed for their role.

Here’s a brief overview of permissions for each role, then we’ll explain how to set them up.  You should be aware that some popular plugins and themes also have user settings.  We’ll talk a little bit about them later in this post, including Yoast SEO and Woo Commerce plugins, and the Divi Theme.

WordPress Administrator

The Site Administrator can perform any task in WordPress. Because you’re the site owner, you have access to the hosting account, but any other administrator you set up would not.

They will not have access to the cPanel or your account info, just the WordPress implementation. If you’re having a web professional help set up your site, they would typically need to be an admin to get the job done.

NOTE: When you set up an another administrator account, you are asked to create a user name for that person. NEVER choose “admin” as a username.  That’s the first name hackers will use to try and get into your site.

An Administrator can add users, upload and activate or change themes and choose, activate and deactivate plugins. They create menus, choose your home page and can edit code on php files. They make decisions about how comments will be managed and how your permalinks will look. (A permalink is how a page URL is set up – typically, mywebsite.com/name-of-the-page/.)

Admins typically set up the page designs, style standards and can add images and videos to the site. They add and delete from the media library at will.  They can write content for pages and posts – It’s faster just to say they can perform every task that any user can do.

An admin is in a position of extreme trust. A word to the wise – if there is any concern with someone who’s been given admin status on your site – either remove them as a user or switch their role.

WordPress Author

If you remember, WordPress started as a blogging platform.  The Author role gives a user permission to create and publish their own blog posts.  They can’t do anything with pages – just posts.

Authors can upload images for their post too and are able to respond to comments. They cannot edit or revise posts by other authors or contributors. They have no real administrative authority, though they can delete their own posts.

WordPress Editor

Editors are higher up the food chain than authors.  They can create content for posts and pages plus they have the authority to revise or delete pages they did not create. They can remove content from any author and on any page.

Editors can also moderate comments – approve or mark them as spam – they can also delete an author’s response to a comment. This role can set up and manage categories and tags for blog posts.

This role isn’t just for proof-reading  – an editor has authority over all the content on the site.

Contributor

This is a minimized version of the author role.  A Contributor can write blog posts and that’s pretty much it.  They can’t even add images to the media library and they can’t publish their own posts.

When you first start working with a writer, it’s helpful to give them Contributor status. The Editor or Administrator can review their work before it goes public.  Once you’re confident in the relationship, you can upgrade them to the Author role.

Subscriber

This is the default role for new users and only allows the user to create a profile. Subscribers cannot post or revise anything. The one advantage of this role is that subscribers can leave comments without having to log in.

How to Set Up WordPress Users

Only an administrator can set up a new user.  About midway down the WordPress dashboard menu is a tab for Users/Add New. When you click it, you will see the screen below.

As noted earlier – never give anyone the user name Admin.  Decide the user name – make it unique – and add their email. Fill in the required fields and use the drop down to choose their role.

Then click Add New User.  They will get an email telling them how to log in. Once they’re in, they can set up their Profile, including a Gravatar.  (FYI – this is also where a user can change their password, but be aware if you are publishing content, the site may require a really strong password.)

What’s a Gravatar?

A gravatar is a Globally Recognized Avatar – so what’s an avatar? It’s a small, thumbnail image- unique to you – that will display when you post or publish online.

Big whoop, you say? Yeah, maybe but it’s kind of like your logo. The more it’s associated with you or your work, the more familiar you become. If you’re a blogger and you leave comments on other blogs – it can help you build a brand.

You need to have a WordPress.com account to get one. Once you do – go to the Gravatar website and create your own.  And quick reminder – this image represents you and tons of sites have parental controls that block adult imagery.  Use common sense, folks.

(One thing to note – Gravatars make you fill out some personal info including your name and About Me section that people also see. If you are not comfortable with that – don’t do it.)

More User Roles: Yoast, Woo & Divi

Yoast

The Yoast plugin is one of the best-known SEO plugins on the internet. There’s a free version and the premium version. Both of them allow you to assign user roles related to SEO.  Yoast is so connected to WordPress that once the plugin is installed, you will see two new roles in the user drop down menu:

  • SEO Editor
  • SEO Manager

SEO Editor

Both of these roles are pretty simple. An SEO Editor can add the meta data descriptions in the Yoast plugin fields by page. They put in the key word, update the snippets and indicate cornerstone content.

SEO Manager

The SEO Manager is responsible for the plugin settings. The manager can do everything an editor can do but other than a WordPress Administrator, they are the only role that change the plugin settings.

Woo Commerce

If you’re building an online store, you may very well find yourself adding the WooCommerce Plugin.  Some themes – including most of the mega themes,  Woo Commerce is included as a module.

When Woo Commerce is installed, two things happen. The WordPress Administrator is given access to Woo Commerce settings and Woo Commerce Reports.  Two new user roles are added:

  • Customer
  • Shop Manager

Not everyone will have a shop manager, but hopefully everyone will have customers….

Customer

Customers are the people who create an account to make a purchase. They can login and see their order history and current order status. Customers manage the data in their profile, including sensitive information about payment options.

Shop Manager

The Woo Commerce Shop Manager has some authority within the site – similar to an Editor role in WordPress. They can create and delete product pages, change product pages made by someone else. They get to see Woo Commerce Reports and can manage the plugin settings.

This is a very significant role when you factor in the ability to change product pages. The prices for everything you sell are on those pages, when you delegate that kind of authority – pay attention.

Divi Theme Role Editor

We’re a big fan of the Divi Theme and one of its components is a role editor built into the theme itself.

As with most everything in Divi – there are options out the wazoo (a technical term…)

You can change how each role is allowed to interact within the Divi Builder. In the example below, the Author role is allowed to access the Divi Library but isn’t allowed to change Global elements.

The permissions can literally be customized at the module level – you could decide an Editor can use a Blurb Module but not a Code module.

The only beef I have with Divi’s Role Editor is that it enables everything for every role by default.  Come on, guys, do we really think a Contributor role (who isn’t even allowed to publish without approval) needs to be able to change Customizer settings?

Divi might want to rethink that approach, but in the meantime, make use of the grid button on the far right of each set of settings. Click it and everything in the box is either enabled or disabled.  Otherwise, you will need to choose your options manually.

User Tips

Whenever you remove an author from your site, you need to attribute their posts to another user or the content will be deleted too.  We typically create a generic Author – with a user name that might simply be the site name – i.e. Pet Groomers.  If you’re paying a writer, it’s not always necessary (or desirable) to have the writer’s name on the posts.

Before you delete a user, go to All Posts on your WordPress Dashboard. Click the box on all the soon-to-be-deleted author’s posts.  Choose Edit from the dropdown menu and you’ll get a pop-up where you can assign your generic Author. Click Apply. Then take care of removing the author’s access.

Quick Reminders

User roles that have authority over settings on your site –Administrators, Editors and Shop Managers – should only be handed out to experienced, trustworthy people. Don’t just hand your site over to anyone – no matter who it is.

You can consider a plugin to customize your notifications.  But the best way is to check your site periodically and make sure your own credentials stay active.

While it may make you unpopular, insist strong passwords – random mixes of letters and numbers. We’re not trying to make you paranoid, but think of it this way. Whenever you hire someone in the real world, there’s typically a trial period.  It’s the same way online.

And not just for bad actors, but people make mistakes or misunderstand what they are being asked to do. It’s better for everyone if someone is paying attention and can get things back on track.

Free Exclusive Website Building Tips

Enter Your Email to Get Access to my Proven Techniques to Building Great Websites and More

Share This