WordPress has five built-in user roles, each with a different set of capabilities. Giving users more access than they need is a security risk: a compromised Editor account can do less damage than a compromised Administrator account. Understanding what each role can actually do, and where the security boundaries are, helps you apply the principle of least privilege correctly.
Administrator: Full access to everything. Can install and delete plugins and themes, edit plugin and theme code via the dashboard file editor, modify settings for any plugin, create and delete any user (including other Admins), and export or delete all site data. There should be as few Administrator accounts as possible. Every Administrator account is a potential entry point for a full site takeover. Use a unique username, strong password, and 2FA for every Admin account, no exceptions.
Editor: Can publish and manage all posts and pages, including content written by other users. Can moderate and delete comments, manage categories and tags, and upload files to the media library. Cannot install plugins or themes, modify settings, or access other users' account details. Appropriate for senior editorial team members who manage other writers' content. Note that Editors can edit any page, including key commercial pages, so trust this role only to people you'd trust with the full website content.
Author: Can write, edit, publish, and delete their own posts. Can upload files to the media library. Cannot edit other users' posts, manage comments (beyond their own), or modify any site settings. Appropriate for regular contributors who publish independently without editorial review.
Contributor: Can write and edit their own posts but cannot publish them, posts require review and publication by an Editor or Administrator. Can see their own posts in a draft/pending state but cannot upload images (they can embed existing images from the library but not add new ones). Good for guest contributors or new writers whose content needs review before going live.
Subscriber: Can only manage their own profile and read content. Has no content creation capabilities. Useful for membership sites where users have accounts to access gated content but aren't contributors. The Subscriber role is also the default role for new user registrations if open registration is enabled, if you have a contact form or checkout that creates WordPress accounts, new customers likely start as Subscribers.
Assign the lowest role that allows the user to do their job. A blogger who only writes their own articles doesn't need Editor access, Author is sufficient. A client who needs to update their About page and upload photos doesn't need full Editor access, a custom role (covered below) can be more appropriate. A developer who needs to test plugin settings doesn't need to keep their Administrator account active when the project ends.
The security value of least privilege is in damage limitation. If a Contributor account is compromised through phishing or a weak password, the attacker can at most create draft posts and view existing drafts. If an Administrator account is compromised, the attacker can install malicious plugins, create new backdoor admin accounts, modify themes to inject malware, or export the entire user database. The gap in damage potential is significant.
Sites accumulate old user accounts: former employees, contractors from past projects, clients who were given temporary admin access and never removed, agencies that created their own accounts and forgot to clean up. Go to Users > All Users in wp-admin. Sort by Role and look at each Administrator and Editor account. For each one, ask: does this person still work on this site? If not, delete the account (assigning their content to another user if needed).
For accounts you're unsure about, temporarily demote them to Subscriber rather than deleting, then follow up with the person. If they don't respond or confirm they need access, delete the account. Unused accounts with elevated permissions are low-hanging fruit for attackers, there's no monitoring for accounts nobody is actively using, and the passwords may be old and weak.
Set a quarterly reminder to audit your user list. This takes five minutes and consistently catches accounts that should have been removed months earlier.
The Members plugin (by Justin Tadlock, free) and User Role Editor both allow creating custom roles with specific capability sets. This is particularly useful in agency contexts where a client needs to:
A common agency pattern is a "Site Manager" custom role with: edit_pages, upload_files, manage_options (limited to specific plugin settings if possible), and read, but without install_plugins, activate_plugins, or edit_theme_options. This gives the client enough access to manage day-to-day content without the ability to accidentally (or intentionally) break things.
Every user with a WordPress account, including Subscribers, can access the wp-admin URL and see the admin dashboard, even if most menu items are hidden. Some plugins add capabilities to the Subscriber role, exposing more of the dashboard. If you have an open-registration membership site and want to prevent Subscribers from accessing wp-admin at all, add this to your theme's functions.php:
add_action( 'admin_init', function() {
if ( ! current_user_can( 'edit_posts' ) && ! defined( 'DOING_AJAX' ) ) {
wp_redirect( home_url() );
exit;
}
} );This redirects users who can't edit posts (Subscribers) away from wp-admin to the homepage. It doesn't affect Administrators, Editors, Authors, or Contributors. It does affect the WordPress admin bar on the frontend, Subscribers will still see it unless you also hide it via Settings > General > "Show Toolbar when viewing site."
WooCommerce adds two additional roles: Shop Manager and Customer. Shop Manager has broad access similar to Administrator but scoped to WooCommerce, they can manage orders, products, coupons, and settings without access to WordPress core settings or plugin installation. Customer is essentially a Subscriber with WooCommerce account data attached (order history, saved addresses).
Other plugins add their own roles or capabilities. SEO plugins may add an SEO Manager role. Membership plugins add Member roles. Review each new plugin's role additions to confirm they're appropriate and don't grant more access than needed. User Role Editor shows all registered capabilities from all plugins in one view, which is useful for auditing what's been added to your site's permission structure.
At minimum, require two-factor authentication for all Administrator accounts. If you have multiple Editors with access to all content, extend 2FA to that role as well. Configure this in WP 2FA > Policies, you can require 2FA for specific roles and give existing users a grace period to set it up. A compromised Editor account is significantly less dangerous than a compromised Administrator, but still allows content modification and potential SEO spam injection. 2FA for both roles is a low-effort, high-value protection.
HostBible keeps hosting account access completely separate from WordPress user access. Your site credentials and hosting credentials should never overlap, and HostBible's control panel enforces that separation by design.
View Hosting Plans