Every WordPress site with more than one user faces the same question: who should be allowed to do what? Assign too many permissions and you risk accidental deletions, broken settings, or worse — a security breach. Assign too few and your team spends half their day asking for access. WordPress solves this with a built-in roles and capabilities system that gives you layered control over every action a user can take.
This guide breaks down exactly how the system works in 2026, walks through each default role and its capabilities, shows you how to create custom roles for real-world scenarios, and covers the security practices that keep multi-user sites safe.
How the WordPress Roles and Capabilities System Works
WordPress uses a two-layer permission system. Roles are named collections of permissions assigned to users — think of them as job titles. Capabilities are the individual permissions themselves — granular actions like edit_posts, manage_options, or delete_users.
When a user tries to perform an action, WordPress checks whether their assigned role includes the required capability. If it does, the action proceeds. If not, they see an “insufficient permissions” error. This check happens through the current_user_can() function, which plugin and theme developers use to gate features behind specific capabilities.
WordPress stores roles and capabilities in the wp_options table under the wp_user_roles key. Each role is an array containing a display name and a list of capabilities set to true or false. This database-driven approach means roles persist across theme and plugin changes — and it means you can modify them programmatically or with plugins.
The Six Default WordPress Roles Explained
WordPress ships with six built-in roles. Each one inherits the capabilities of the roles below it, creating a clear hierarchy from full control down to read-only access.
Administrator
Administrators have unrestricted access to the entire WordPress dashboard. They can install and activate plugins, switch themes, manage other users (including promoting or deleting them), edit site settings, import and export content, and perform every content management task available to lower roles. On a single-site installation, this is the most powerful role.
Key exclusive capabilities: manage_options, activate_plugins, edit_plugins, edit_themes, switch_themes, edit_users, delete_users, promote_users, install_plugins, install_themes, update_core, import, export
Best for: Site owners and trusted developers. Limit administrator accounts to the absolute minimum — ideally one or two per site.
Editor
Editors manage all content across the site. They can create, edit, publish, and delete any post or page — including content created by other users. They also moderate comments and manage categories and tags. However, Editors cannot access plugins, themes, or site-wide settings.
Key capabilities: edit_others_posts, edit_others_pages, publish_pages, delete_others_posts, moderate_comments, manage_categories
Best for: Content managers, editorial leads, and anyone who needs to review and publish content from multiple authors without touching site infrastructure.
Author
Authors can create, edit, and publish their own posts, plus upload media files. They cannot modify or delete other users’ content, and they have no access to pages, only posts. This makes the role ideal for regular content contributors who need publishing autonomy over their own work.
Key capabilities: edit_posts, edit_published_posts, publish_posts, delete_posts, delete_published_posts, upload_files
Best for: Blog writers, journalists, and regular content creators who publish independently.
Contributor
Contributors can write and edit their own posts but cannot publish them — their content goes into a “Pending Review” queue for an Editor or Administrator to approve. Contributors also cannot upload media files, which prevents unauthorized file storage on your server.
Key capabilities: edit_posts, delete_posts
Best for: Guest writers, freelancers, and anyone whose content needs editorial review before going live.
Subscriber
Subscribers can only read content and manage their own user profile. They have no content creation or editing capabilities. This is the default role for new user registrations and serves as the baseline for membership and community sites where users need accounts without backend access.
Key capabilities: read
Best for: Registered readers, newsletter subscribers, community members, and customers on membership sites.
Super Admin (Multisite Only)
On WordPress Multisite networks, the Super Admin role sits above Administrator. Super Admins control the entire network: they can create and delete sites, install plugins and themes network-wide, manage users across all sites, and perform core updates. Regular Administrators on a multisite network lose several critical capabilities — including install_plugins, install_themes, update_core, and delete_users — which become exclusive to Super Admins.
Key exclusive capabilities: manage_network, manage_sites, manage_network_users, manage_network_plugins, manage_network_themes, upgrade_network
Best for: Network administrators managing multisite installations. Limit Super Admin accounts even more strictly than single-site Administrators.
Complete WordPress Capabilities Reference Table
The table below shows which capabilities belong to each default role. Use this as a quick reference when deciding which role to assign or which capabilities to include in a custom role.
| Capability | Subscriber | Contributor | Author | Editor | Administrator |
|---|---|---|---|---|---|
read |
Yes | Yes | Yes | Yes | Yes |
edit_posts |
— | Yes | Yes | Yes | Yes |
delete_posts |
— | Yes | Yes | Yes | Yes |
publish_posts |
— | — | Yes | Yes | Yes |
upload_files |
— | — | Yes | Yes | Yes |
edit_published_posts |
— | — | Yes | Yes | Yes |
delete_published_posts |
— | — | Yes | Yes | Yes |
edit_others_posts |
— | — | — | Yes | Yes |
delete_others_posts |
— | — | — | Yes | Yes |
edit_pages |
— | — | — | Yes | Yes |
publish_pages |
— | — | — | Yes | Yes |
moderate_comments |
— | — | — | Yes | Yes |
manage_categories |
— | — | — | Yes | Yes |
manage_options |
— | — | — | — | Yes |
activate_plugins |
— | — | — | — | Yes |
edit_users |
— | — | — | — | Yes |
install_plugins |
— | — | — | — | Yes |
install_themes |
— | — | — | — | Yes |
update_core |
— | — | — | — | Yes |
switch_themes |
— | — | — | — | Yes |
import |
— | — | — | — | Yes |
export |
— | — | — | — | Yes |
How to Create Custom User Roles
Default roles cover many scenarios, but real-world sites often need something more specific. An agency might want a “Client Manager” role that can edit pages but not access plugins. A WooCommerce store might need a “Warehouse Staff” role limited to inventory management. Custom roles fill these gaps.
Method 1: Create Custom Roles with PHP
Use the add_role() function to register a new role. Place this code in a custom plugin (preferred) or your theme’s functions.php file so the role persists across theme changes.
// Add a custom "Content Reviewer" role
add_role( 'content_reviewer', 'Content Reviewer', array(
'read' => true,
'edit_posts' => true,
'edit_others_posts' => true,
'edit_published_posts' => true,
'moderate_comments' => true,
'manage_categories' => true,
// Intentionally omitting publish_posts -- reviewers edit, not publish
) );Important: The add_role() function writes to the database. It only needs to run once. After the role exists, you can remove the code or wrap it in an activation hook. Running it repeatedly is harmless but unnecessary.
To add or remove capabilities from an existing role:
// Give Editors the ability to manage WooCommerce products
$editor = get_role( 'editor' );
$editor->add_cap( 'edit_products' );
$editor->add_cap( 'publish_products' );
// Remove a capability
$author = get_role( 'author' );
$author->remove_cap( 'delete_published_posts' );Method 2: Use a Role Management Plugin
For sites where editing PHP is impractical or risky, a plugin provides a visual interface for managing roles.
Members (by MemberPress) is a free plugin that lets you create, edit, clone, and delete roles through a clean UI. It supports assigning multiple roles to a single user, explicitly denying capabilities (not just omitting them), and integrating with WooCommerce, Advanced Custom Fields, and other plugins that register their own capabilities. Since MemberPress acquired it, all previously paid add-ons — block permissions, role hierarchy, and content restriction — are included free.
User Role Editor is another popular option with a straightforward capability checkbox interface. It is slightly less polished than Members but handles the core task of modifying role capabilities effectively.
Either plugin works well. Members is the better choice if you also need content restriction or multi-role assignment.
Plugin-Added Roles: WooCommerce, LMS, and Membership Examples
Many plugins add their own roles and capabilities when activated. Understanding these prevents permission conflicts and helps you assign the right access level.
WooCommerce Roles
Shop Manager: Full control over WooCommerce settings, products, orders, and reports through the manage_woocommerce and view_woocommerce_reports capabilities. Shop Managers can process orders, update inventory, manage customer accounts, and configure shipping and tax settings — but they cannot install plugins, modify themes, or access core WordPress settings. This makes the role ideal for store operators who should not touch site infrastructure.
Customer: Functionally identical to Subscriber but with additional WooCommerce capabilities for viewing order history, managing saved addresses, and handling account details on the frontend.
LMS Plugins (LearnDash, LifterLMS, Tutor LMS)
Learning management plugins typically add roles like Instructor (can create and manage courses), Student (can enroll and access course content), and sometimes Group Leader (can manage a subset of students). Each role comes with plugin-specific capabilities such as edit_courses, manage_enrollments, or view_reports. For a deeper look at WordPress LMS options, see our LMS plugin comparison.
Membership Plugins (MemberPress, Paid Memberships Pro)
Membership plugins often create tiered subscriber roles — Bronze Member, Gold Member, VIP — that restrict content visibility based on membership level. These roles typically extend the Subscriber base with custom capabilities that gate frontend content rather than backend features. Our membership plugin comparison covers the major options in detail.
Real-World Role Configuration Scenarios
Scenario 1: Multi-Author Blog
A content team with a managing editor, three staff writers, and occasional guest contributors needs clear boundaries. Assign the managing editor as Editor (can publish and edit all content), staff writers as Author (can publish their own posts), and guest writers as Contributor (can draft but not publish). Only one site owner holds the Administrator role.
Scenario 2: Agency Managing Client Sites
Agencies need backend access without giving clients the ability to break their own site. Create a custom Client Manager role that includes edit_pages, edit_published_pages, upload_files, and moderate_comments — but excludes install_plugins, switch_themes, and manage_options. The agency retains Administrator access while the client has safe autonomy over content.
Scenario 3: WooCommerce Store with Warehouse Staff
Create a custom Warehouse role with only edit_products and view_woocommerce_reports capabilities. Warehouse staff can update stock quantities and view inventory reports without accessing order details, customer data, or payment configurations.
Scenario 4: Membership Site with Form-Based Registration
Sites that use form plugins for user registration can assign roles automatically during signup. Gravity Forms paired with its User Registration add-on lets you map form fields to user profile data and assign a specific role based on form selection, conditional logic, or payment status. This automates the entire onboarding process without manual role assignment. We cover the full setup process in our Gravity Forms User Registration guide.
Drop a Login Form Anywhere with the Block Editor
Our free User Registration Block for Gravity Forms lets you place the Gravity Forms User Registration login form into any post or page. No shortcodes, no guesswork — just search, drop, and customize.
Security Best Practices for User Roles
Misconfigured roles are one of the most common WordPress security vulnerabilities. Follow these practices to keep your site protected.
Apply the Principle of Least Privilege
Every user should have the minimum permissions required to do their job — nothing more. A content writer does not need activate_plugins. A shop manager does not need edit_themes. Start with the most restrictive role that works and add capabilities only when a specific need arises.
Limit Administrator Accounts
Keep administrator accounts to one or two per site. Every additional administrator account is a potential attack vector. If a team member needs broad access, consider the Editor role supplemented with specific additional capabilities rather than full Administrator privileges.
Audit User Accounts Regularly
Review your user list quarterly. Remove inactive accounts, downgrade roles for users who have changed responsibilities, and verify that no unauthorized administrator accounts exist. Stale accounts with elevated permissions are a common entry point for attackers. An activity log plugin can help you track who changed what and when.
Combine Roles with Two-Factor Authentication
Roles control what users can do, but they do not prevent stolen credentials. Pair role management with two-factor authentication (2FA) on all accounts that have Editor access or above. This ensures that even if a password is compromised, the attacker cannot access the dashboard.
Use Capability Checks in Custom Code
If you build custom functionality — whether in a plugin, theme, or code snippet — always gate sensitive operations behind capability checks:
if ( current_user_can( 'manage_options' ) ) {
// Only administrators can run this
update_option( 'my_custom_setting', $new_value );
}Never assume a user’s role. Always check specific capabilities, because roles can be modified and custom roles may not match default expectations. Our REST API authentication guide covers capability checks in the context of API endpoints.
See User Submissions Right on Their Profile
When auditing user activity, our List User Entries for Gravity Forms adds recent Gravity Forms submissions directly to WordPress user profile pages. One glance shows you everything a user has submitted — pay what you want.
Troubleshooting Common Role and Capability Issues
“Sorry, You Are Not Allowed to Access This Page”
This error means the logged-in user lacks the capability required for the action. Check the user’s role, verify the role includes the expected capability, and confirm no plugin is stripping capabilities. Role management plugins like Members show the exact capabilities assigned to each role.
Custom Roles Disappear After Theme Change
If you registered a custom role inside functions.php using add_role(), it is stored in the database and should persist. However, if the code was wrapped in an activation hook tied to the theme, switching themes may not trigger re-registration. Move custom role code to a must-use plugin (wp-content/mu-plugins/) to ensure it loads regardless of active theme.
Plugin Capabilities Not Appearing
When a plugin adds custom capabilities (like WooCommerce’s manage_woocommerce), those capabilities are only assigned to roles during the plugin’s activation routine. If you created a custom role before installing the plugin, the custom role will not automatically receive the plugin’s capabilities. Use a role management plugin or add_cap() to manually assign them.
Multisite Role Confusion
On multisite networks, remember that custom roles created on one site do not automatically apply to other sites. If you need a custom role across the entire network, register it in a must-use plugin at the network level or use a role management plugin that supports multisite propagation.
Frequently Asked Questions
Can a user have multiple roles?
WordPress supports multiple roles per user at the code level, but the default dashboard UI only shows one role selector. Plugins like Members enable multi-role assignment through the admin interface. When a user has multiple roles, their effective capabilities are the union of all assigned roles.
What happens if I delete a role that users are assigned to?
Users assigned to a deleted role retain their user accounts but lose all capabilities associated with that role. They effectively become users with no permissions until you reassign them to a valid role. Always reassign users before deleting a custom role.
Do custom roles affect site performance?
No. Roles and capabilities are loaded once per page request from the database and cached in memory. Even sites with dozens of custom roles experience no measurable performance impact from the role system itself.
How do I reset roles to WordPress defaults?
If role modifications have caused issues, the simplest fix is deactivating any role management plugins and using WP-CLI to reset roles: wp role reset administrator editor author contributor subscriber. This restores the default capability assignments without affecting user accounts.
