In WordPress, there are 6 standard user roles available directly out of the box. In order to secure your site and only assign appropriate capabilities to your site users, it’s important to know, which rights each of these user roles gives and what implications it can have to empower large number of users. It’s also important to understand your options in terms of managing users securely.
The 6 User Roles In WordPress
Each of the six standard user roles in WordPress has assigned a set of capabilities to it, allowing users to perform certain actions on your site. The 6 roles correspond to 6 levels of access, where the highest level gives full editing – and deleting – rights, while the lowest level only gives the right to read and comment. Be aware that even the lowest level, Subscriber, can efficiently be used by spammers! Check the Security Risks section below, if uncertain about the consequences of assigning certain user role.
SuperAdmin is a user role, which is only available in a WordPress Multisite setting. This is the only user role that has absolutely no limitations. It allows one to control the whole site network, all the networks’ sites and users, and all the content, both backend and frontend.
This is therefore a role that shouldn’t be assigned to users, if it isn’t completely necessary. Ideally, it should only be the site owner or the specially chosen site manager (webmaster) that has the full set of rights.
The Administrator (Admin) can have different capabilities, depending on whether Multisite is enabled or not.
In a Multisite setting, the Admin can’t upload, edit or delete files, themes or plugins, as they are Network-controlled. They can’t create, edit or delete network users either. The Admin can, however, manage all site-related settings, such as theme settings, activating plugins, removing site users, managing own and other users’ published and unpublished posts and pages, uploads, and all other site-level changes.
In a single-site setting, the Admin has all capabilities, including installation and management of themes and plugins, as well as full control over users and users’ content.
This role should only be assigned to site owners or specially chosen site managers (webmasters), ideally to one user at a time.
Even though Editors don’t have rights to manage themes, plugins or users, they are still very powerful users. They can basically read, edit, publish, and delete all of the site’s content, including others’ published, private or drafted posts, pages, and comments.
Additionally, in a single-site setting, Editors, like the Admin, are allowed to add unfiltered HTML to titles, text, and comments. While this is a useful setting that allows users to perform different necessary tasks, it does also present a security risk.
Because Editors can literally delete all the content on your site, as well as publish or allow the publishing of malicious content, links, and HTML, it’s important to only assign Editor roles to trusted users.
If you run a large content-driven website with user generated content, it might be necessary to have many Editors, enough to handle the volume of content. They should, however, still be chosen very carefully and, if applicable, bound with a contract, specifying their functions, responsibilities, and limitations.
Authors are only one level below Editors but have considerably fewer rights. Authors can only edit or delete their own posts and upload files. They can’t, however, publish anything. They need somebody with at least Editor rights to publish their posts.
Authors cannot edit pages either. If you need someone to work with pages, you should assign a user role with more privileges.
You should, however, be aware that Authors can edit their own published posts, which makes it possible for them to add disallowed content after the post has once been approved. It’s therefore important to continuously control Authors’ work, as long as you give Author privileges to a wide circle of not completely trusted users.
Contributors are users with the right to edit or delete their own unpublished posts, read published content and comment to it. The only differences between Authors and Contributors are that Contributors can’t upload files, neither edit, nor delete their published posts.
This user role is therefore recommended to assign to such users that are still untrusted. Even though they’ll need assistance to, for example, upload an image to use with their post, which might be inconvenient, disallowing users to manage published content and upload files contributes to a higher level of security.
You can assign the Contributor role to users without worrying too much, as they can only offer content for publishing, while it’s still up to a higher-level user to decide whether publish it or not.
Subscriber is the default new user role in WordPress and this is for security reasons. Subscribers can only read published content and comment to it.
The rights to read published content and comment to it, where comments are allowed, are common for all user roles from SuperAdmin to Subscriber. They shouldn’t, however, be taken lightly. While reading causes no harm, commenting can be – and often is – a big issue due to the large number of spammers out there. It’s not unusual for a new site’s owner to check search queries in Search Console and find out that the only search queries resulting in impressions or clicks are something like “WordPress Leave a comment”.
You should therefore carefully consider, whether it’s really necessary to allow Subscriber registrations at all. Even though comments can be a good way to engage users, if not handled properly, they can affect user experience and thus SEO negatively.
Here’s the full list of user role capabilities in WordPress:
A WordPress site can get very vulnerable, if user roles aren’t used properly. The main security risks are:
- Theme, plugin, and user manipulations, as well as changing others’ passwords (SuperAdmin and Admin)
- Publishing malicious content, deleting or altering existing content, and approving spam comments (SuperAdmin, Admin, and Editor)
- Editing or deleting published content (SuperAdmin, Admin, Editor, and Author)
- Writing spam comments or comments linking to malicious websites (SuperAdmin, Admin, Editor, Author, Contributor, and Subscriber)
How To Secure Your Website
In order to secure your website as much as possible against user-related issues, you must only assign powerful user roles to people that have earned your trust. In the same time, you should work on a system that allows you to control user activity closely.
For smaller sites with user-driven content, it’s enough to delegate Author or Contributor rights to other users and keep yourself the right to approve and publish content. As long as it’s possible, get personally in touch with new users and screen them. This way you can avoid publishing of inappropriate content and protect your site from hijacking. Just remember that Authors can alter published content!
For larger sites, it might be necessary with a more intricate user structure, consisting of multiple Editors and Authors/Contributors, maybe also multiple Admins. In order to protect your site as good as possible, try to implement a hierarchy, where users enter at the lowest level and, once they’ve proved their value, they can climb a level up – and so on. It’s though still recommended that you keep the Admin rights exclusive to a very small and trusted group of users.
For sites, where user roles are only meant to give Subscriber rights, that is reading and commenting, make sure that comments must be approved before publishing. It’s recommended that you don’t allow any comments to bypass a spam check, even for users with previously approved comments. You can find and configure these settings under Settings->Discussion in the Admin menu to the left of the screen.
You can add an additional layer of security by introducing a social login, instead of the regular WordPress registration. This works quite well against spammers, who rarely want to put their real name under a spam comment. It’s not a 100% sure solution, as it only takes a minute to create a fake social profile, but does work quite well for the most of the time.
Alternatively, you can install a membership plugin. Even though they are meant as a way to encourage registrations and paying for access, they can also be used as a role distribution and editing tool. The good thing about them is that you can decide yourself what requirements registrants must live up to, as for example entering real email address, verifiable telephone number, address or social media profile. In case you want to learn more about the use of membership plugins, take a look at this post: How to Manage User Registrations in WordPress.
Last but not least, you can edit the capabilities of the 6 standard user roles and create new ones. You can do this by installing a plugin as Capability Manager Enhanced or the quite popular User Role Editor, This might be a great solution, if you’d like to protect specific parts of your site, while still empowering users.
Conclusion: Miracle Solutions
Even though I don’t believe that protecting your site from spammers can be as easy as installing a plugin, there’re quite a few anti-spam plugins out there with great reviews. It can therefore be a good idea to try them out, before pronouncing them useless.
The only absolute way to protect your site against user-generated spam is, though, simpler: don’t allow user registrations and commenting at all.
As a beginner online, you might think that there’re tons of people just waiting to engage with you by commenting on your posts. You’ll therefore have difficulties disallowing comments. However, I’m sure that after a year or so you’ll be so tired of spammers and meaningless comments that you’ll understand why the few valuable comments are simply not worth it.
Remember also that spam comments, as annoying as they can be, are the least of your potential troubles with site users. My advice is therefore to avoid generosity when assigning user roles!