WordPress User Roles and Permissions: A Complete Security Guide
Introduction
Every WordPress site ships with a built-in user role system. It defines who can do what, from writing posts to installing plugins. The problem is that default roles are too permissive. Many site owners give users Administrator access when they only need Editor or Author privileges. This is a major security risk.
This WordPress user roles security guide will show you how to fix that. You will learn what each role does and where the dangers hide. You will also learn how to audit your users and create custom roles. By the end, your site will be far harder to compromise.
Small mistakes in user roles lead to big breaches. A hacked author account can inject malicious files. A stolen admin account can destroy an entire site. Understanding roles is the first step toward real WordPress security. This guide covers everything you need to lock down your user management today.
Default WordPress Roles Explained
WordPress has six default roles. Each role has a specific set of capabilities. Understanding each one is key to making smart decisions. Let us look at each role and its security impact.
Super Admin is the highest role. It only exists on WordPress Multisite networks. A Super Admin can manage every site in the network. They can install themes and plugins network-wide. They can also add and remove users across all sites. If a Super Admin account is compromised, the entire network is lost. Use this role sparingly and only for full-time site managers.
Administrator is the most powerful single-site role. An Admin can do everything, install plugins, edit themes, create users, delete content, and change settings. Many sites have three or four admins when they only need one. Each extra admin is an extra attack surface. If you have a team of content writers, very few of them need this role. Keep your admin count as low as possible.
Editor can manage all posts and pages. They can publish, edit, and delete content from any user. They can moderate comments and manage categories. Editors cannot install plugins or change settings. This is the right role for a senior content manager. The risk here is lower but still real. An editor could delete important content if their account is hijacked.
Author can publish and manage their own posts. They can upload files to the media library. This is where a common risk appears. Authors can upload images, PDFs, and other files. A malicious author could upload a PHP file disguised as an image. Your server must block dangerous file types at the upload level. Never trust file uploads from authors without additional safeguards.
Contributor can write posts but cannot publish them. They can submit their work for review. They cannot upload files at all. This is a safe role for guest writers and freelancers. The risk is minimal. Contributors cannot change settings or add media directly. This makes them a good choice for outside contributors.
Subscriber can manage their own profile. They can read content on the site. That is it. Subscribers have almost no power. The risk here is not what subscribers can do. It is what you reveal to them. Subscriber accounts are often used to enumerate valid usernames on a site. An attacker can probe the login page to find which usernames exist.
The Principle of Least Privilege
Least privilege means giving each user the lowest role they need to do their job. If a writer only needs to draft posts, make them a Contributor. If a manager needs to review and publish, make them an Editor. Do not give a content writer Administrator access just because it is easier. This principle is the foundation of secure user management.
Why is this so important? Picture a real attack. A phishing email tricks your content writer into revealing their password. If they have Admin access, the attacker can install a backdoor plugin. They can steal the entire database. They can redirect your site to a scam page. If that same writer only had Contributor access, the damage stops at a few draft posts.
Another real scenario involves plugin vulnerabilities. An old plugin has a vulnerability that lets an attacker act as any user on the site. If that user is an Admin, the attacker gets full control. If that user is a Subscriber, the attacker gets nothing useful. Least privilege limits the blast radius of every single attack. It is one of the cheapest and most effective security measures you can implement.
Common Role Assignment Mistakes
The first mistake is too many administrators. Small businesses often add new team members as Admins for convenience. Before long, five people have keys to the whole house. Audit your admin list today. Most teams need one or two admins at most.
The second mistake is letting Authors upload unrestricted files. By default, Authors can upload to the media library. An Author could rename a PHP file to .jpg, upload it, and access it directly. That file could execute code on your server. You can block this with a security plugin or a custom function. Never assume Authors will only upload safe content.
The third mistake is subscriber enumeration. WordPress tells you if a username exists when logging in. A message like “Error: The password you entered for the user admin is incorrect” confirms that admin is a real user. Attackers use this to build lists of valid usernames. You can disable this with a plugin or custom code. Trusti Security helps here by masking login errors.
The fourth mistake is shared accounts. Some teams share one Admin login instead of creating individual accounts. This is dangerous. You cannot audit who did what. You cannot revoke access for one person without changing the password for everyone. Always create individual accounts for each team member.
How to Audit Current Users
You need to know who is on your site. The WordPress admin panel shows users under Users > All Users. But for large sites, WP CLI is faster. Here is how to list all users:
wp user list
This command shows user ID, login name, display name, email, and role. To see only administrators, run this:
wp user list --role=administrator
You can check when each user last logged in. Install a simple plugin for this, or use WP Last Login. Then run this command:
wp user list --field=ID | xargs -I {} wp user meta get {} last_login
If you find old accounts no one uses, remove them. An unused account is a ticking bomb. Delete it with this command:
wp user delete 5 --reassign=1
This deletes the user with ID 5 and reassigns their content to user ID 1. Always reassign content so you do not lose posts. Run this audit every month. Make it part of your security routine. A clean user list is a secure user list.
Custom Roles with Capabilities
Default roles do not fit every situation. You may need a role that can edit posts but not delete them. Or a role that can manage users but not change themes. WordPress has a built-in function for this, called add_role(). It lets you create any role you need.
Here is an example. Create a role called “Content Reviewer” that can edit any post but cannot publish or delete:
function trusti_add_content_reviewer_role() {
add_role(
'content_reviewer',
'Content Reviewer',
array(
'read' => true,
'edit_posts' => true,
'edit_others_posts' => true,
'publish_posts' => false,
'delete_posts' => false,
)
);
}
add_action( 'init', 'trusti_add_content_reviewer_role' );
Put this in your theme’s functions.php file or a custom plugin. After adding it, go to Users and assign the new role to anyone who needs it.
You can also remove capabilities from existing roles. The dangerous unfiltered_html capability lets users post any HTML markup, including scripts. This is a common vector for XSS attacks. Only give it to users you fully trust. Here is how to remove it from the Editor role:
function trusti_remove_unfiltered_html_from_editors() {
$editor_role = get_role( 'editor' );
if ( $editor_role ) {
$editor_role->remove_cap( 'unfiltered_html' );
}
}
add_action( 'init', 'trusti_remove_unfiltered_html_from_editors' );
Never give custom roles the ability to edit themes, plugins, or users unless absolutely required. These capabilities are what make an Administrator an Administrator. Keep them locked down for everyone else.
If you want a simple way to manage roles, use a plugin like User Role Editor. It provides a UI for adding and removing capabilities without writing code. Just be careful with the changes you make and test them first.
How to Secure Your User Management
Strong passwords are your first line of defense. Every user on your site should have a password with at least 12 characters. Use a mix of uppercase, lowercase, numbers, and symbols. Encourage your team to use a password manager for safe storage.
Limit login attempts to prevent brute force attacks. By default, WordPress lets users try to log in as many times as they want. Attackers can guess thousands of passwords per minute. A login limiter locks the user out after a few failed attempts. Trusti Security includes Brute Force Protection that does exactly this out of the box.
Two-factor authentication adds a second layer of security. Even if a password is stolen, the attacker cannot log in without the second factor. Trusti Security offers TOTP-based 2FA for free. This is the same technology used by Google Authenticator and Authy. Your users scan a QR code with their phone app. Then they enter a six-digit code that changes every 30 seconds. No code means no login, even with the right password.
For more on securing logins, read our guide on WordPress login security hardening. It covers login URL masking and other techniques you can use today.
Set up regular user audits. Review the user list every month. Remove old accounts. Check that each user has the correct role. Watch for new Admin accounts you did not create. That is a clear sign of a breach.
Do It All With One Plugin
You do not need ten different plugins to secure user management. Trusti Security handles the most important pieces in one free plugin. It is designed to be simple, effective, and privacy-friendly.
Trusti Security provides TOTP-based 2FA for every user on your site. It is easy to set up and works with any authenticator app. It also includes Brute Force Protection that blocks attackers after too many failed login attempts. No configuration is needed. Just activate it and it starts working immediately.
The Admin Activity Log tracks everything important. It records when users are created and when their roles change. If someone gives themselves Admin access, you will see it in the log right away. This visibility is essential for catching insider threats and compromised accounts. You can check the log any time from your dashboard.
Trusti Security is free and does not track your data. It does not manage user roles or enforce password policies. But for the security features that matter most, 2FA, brute force protection, and activity logging, it covers you completely. Install Trusti Security today and lock down your user management.
The Bottom Line
WordPress user roles are not just a convenience feature. They are a critical security control. Giving users more access than they need is the fastest way to compromise your site. The good news is that fixing this is not hard.
Here are your key actions. Audit your user list today. Remove old accounts. Demote users who do not need Administrator access. Create custom roles that match your team’s actual needs. Enable 2FA for everyone. Limit login attempts. Review your user list every single month.
For further reading, check out the WordPress Roles and Capabilities documentation. It lists every capability and which role has it. Also read our guide on WordPress two-factor authentication to add an extra layer of protection.
Start with the audit. Then layer on the other protections. Your site will be safer, and you will sleep better at night.