This guest post is by Karol K of ThemeFuse.
One of the final steps of the famous five-minute WordPress installation is to set up an Admin account. This account, by default, is assigned to the role of Administrator, which is the most powerful user role in WordPress.
But Administrator isn’t the only role available. You can, and as a matter of fact should, use other roles when working with your blog on a daily basis.
WordPress user roles sounds like a boring topic. It sounds like something a web developer has to deal with, or an administrator, or someone with a similar job description. And that pushes user roles to the bottom of our to-do lists when we’re setting up our blogs. Even though we get exposed to the whole idea quite early, during installation, we usually ignore it completely.
If you’re new to WordPress, and the whole concept of running a site is something you’ve never done before, you might think you only need the main Admin account. This seems reasonable, especially if your blog is a single author’s work, and that author is you.
But that’s not the best approach, unfortunately. For one thing, if you only have one user account, your Dashboard will get cluttered, which lowers the usability of WordPress as a publishing tool.
Even more importantly, if you just use the Admin account, you are more prone to all kinds of attacks and hacks than if you took a more systematic approach to user roles.
Why having just one user account is a security issue
Relying on a single user account is a security issue for a number of reasons.
First of all, your username is publically visible to anyone who goes to your author archives (usually at domain.com/author/your-username). This means that if someone wants to hack into your blog, they only need to break your password.
Secondly, if your admin account gets hacked, you can lose everything—your whole blog. You can even have it permanently deleted.
This is why it’s worth knowing a thing or two about user roles, and to use the Administrator role for admin purposes only. (Also, always hide it behind a truly complex and secure password, but that’s a another story.)
What are WordPress user roles for?
Essentially, user roles define what users can and cannot do with a given blog. For instance, depending on the role, one user might have the ability to edit everyone else’s posts, while another user might not even have the ability to hit the Publish button on their own posts.
What’s all this for? If you have a multi-author blog, the answer is obvious. You don’t want to let anyone do whatever they please with your blog. (A good practice is to allow different contributors to do just the bare minimum they must do in order to get their particular jobs done.)
For a single-author blog, creating an additional account can be a solid safety measure. You can use this new account to publish content, and edit posts and pages. And whenever you have to do any administrative work, you can switch to the Admin account.
User roles in WordPress
There are five basic user roles in WordPress, and one “super-role.” They are:
- Subscriber
- Contributor
- Author
- Editor
- Administrator
- Super Admin—the super-role.
Let’s take it from the top.
Subscriber
This is the most basic role for user accounts in WordPress. Most blogs that enable user registration assign every new user account to this role.
Basically, this role doesn’t have any privileges at all. The only thing a subscriber can do is manage their profile—it provides them with access to the WordPress Admin panel, section Users > Your Profile.
Usually, this role is used as a placeholder. If someone is no longer contributing to the blog, but you don’t want to delete their account, you can simply change their role to Subscriber.
Contributor
This is the most popular user role you can give to guest posters and other regular contributors.
Every Contributor can create a new post, edit it, and then submit it for review. They also have access to the comments section and can manage comments. However, once a post is published, a contributor can no longer modify that post.
Contributors don’t have access to anyone else’s content, which makes this role perfect for working with guest authors, as mentioned before. If you’re operating a single-author blog, however, then it’s not a role that will be useful to you.
Author
This is a great role for multi-author blogs. Each author can manage their own posts, edit them, delete them, and publish them to the site. They can also access to the content once the post is published. Essentially, an Author is a Contributor with a possibility to publish posts.
Even though there are three roles above Author, it still should be assigned only to trusted members of your team—people who you consider coauthors of your blog. Giving this role to someone who you’re not in any kind of professional relationship with is not the best idea.
Editor
This role enjoys the privileges of all the previous ones. In addition, it can manage all posts (written by any author), create and edit pages, and has access to every other piece of content published on the blog, including categories and tag management.
All this makes it perfect for single-author blogs. It’s a good idea to set an Editor account for yourself, which you’ll then use to publish and manage content.
For multi-author blogs, this role should be used by the person in charge. That one editor (or a small group of editors if the blog is a bigger one) will get the deciding vote regarding every post or page.
Administrator
In a sentence: this is a role that gets access to all the Admin features. It’s the most powerful role (except for the Super Admin, which we’ll get to in a moment)—there’s no one above the Administrator.
As I mentioned before, you get one Administrator account during installation. You can create more Admin accounts later on, but I don’t advise you to do so if you don’t have a good reason.
Also, make sure that your Admin password is secure and impossible to break. Try to use as many special characters, numbers, and big and small letters in your password as possible. The more complex your password is, the better.
Super Admin
WordPress allows you to create something called a multisite setup. Multisite setup is when you launch more than one WordPress site from a single installation of WordPress. You can have as many sites as you want, but they all have to sit in different directories or sub-domains.
I’m explaining this as an introduction to what the Super Admin role is: basically, it’s someone who has administration access to all the websites in a multisite network. Hence the name “Super Admin.” Apart from that, the role doesn’t have any additional responsibilities over an above those in the Administrator role.
How to set user roles
WordPress has always been quite an easy environment to use, so setting roles is as easy as anything else. You start by going to the section of Users > Add New:
The form that gets displayed features a dropdown list, where you get to select the role you want to assign to the new user (you can do the same for existing users):
Once you hit Add New User or Update User (depending if you’re creating a new account or editing an existing one), the role will be set. In other words, your work is done. This must be the shortest how-to guide ever!
Just to wrap up, let me give you some quick tips on the role setup I advise you to use for depending on whether you have a single-author blog or a multi-author blog.
Assigning user roles for single-author blogs
This is the simplest setup possible, and it only features two user accounts:
- Administrator account for all admin tasks, as described in detail earlier in this post.
- Editor account for all content publishing tasks. This is the account you should use to add new posts, edit pages, moderate comments, and all sorts of other content-related things.
Assigning user roles for multi-author blogs
This is a more complex setup. Consider using it only if you have a bigger team of people managing your blog:
- One Administrator account for all admin tasks.
- One, or a small number of Editor accounts. These roles will take care of managing the blog’s content as a whole, doing some final editing, and making sure that all posts share the same quality.
- Author accounts for every member of your team. These people will have the possibility to publish their posts whenever they please, so you still need to be careful with these accounts.
- Contributor accounts for all guest authors, contractors, and other regular contributors. After a Contributor submits their post for review, an Editor can check it and hit the Publish button if the post meets the standards of the blog.
- Subscriber accounts as placeholders for contributors or authors who are no longer active, but might come back someday, so it’s best not to delete them permanently.
This closes the topic of user roles in WordPress. I hope that you can see their value even for single-author blogs. I, personally, have an Editor account on all my blogs, and I rarely log in to my Administrator accounts. Only when I need to perform an update or change something about my plugins or themes will I use the Admin role.
What’s your current approach to WordPress roles? Are you using user roles or are you simply doing every task from your Administrator account?
Karol K. is a 20-something year old web 2.0 entrepreneur from Poland and a writer at ThemeFuse.com, where he shares various WordPress advice. Contrary to what you might think, he doesn’t want to be the worst blogger on the planet. Don’t forget to visit ThemeFuse to get your hands on some premium WordPress themes (warning: no boring stuff like everyone else offers).
Originally at: Blog Tips at ProBlogger
Weekend Project: Set Safe, Secure User Roles on Your WordPress Blog
