WordPress comes with a built-in “Hierarchy of Power.” Understanding these roles ensures your site remains secure and your settings remain untouched.
The 5 Standard Roles (From Most to Least Power)
| Role | What they can do | Best for… |
| Administrator | Everything. They can change themes, delete plugins, and even delete the site. | Only you (the owner). |
| Editor | Can publish and manage posts/pages, including those written by other users. | Your Content Manager. |
| Author | Can write, upload images, and publish their own posts only. | Trusted staff writers. |
| Contributor | Can write and edit their own posts, but cannot publish them. | Guest bloggers. |
| Subscriber | Can only manage their own profile. | Your readers/customers. |
1. Why the “Contributor” Role is your Best Friend
If you have a guest writer, never make them an Author. If you make them a Contributor:
- They can write their post.
- They cannot upload files (unless you change settings).
- They cannot hit “Publish.” They must click “Submit for Review,” allowing you to check the content before it goes live.
2. How to Change a User’s Role
If you’ve already added someone and realize they have too much power:
- Go to Users > All Users.
- Check the box next to the user’s name.
- Use the Change role to… dropdown menu at the top.
- Click Change.
3. Creating Custom Roles
Sometimes the default roles don’t fit. For example, you might want an “SEO Manager” who can only edit meta tags but can’t change your theme.
- Plugin Recommendation: User Role Editor.
- How it works: It gives you a checklist of every single “Capability” in WordPress. You can check or uncheck boxes to create a perfect, custom-tailored role.
4. Security Tip: The “Shadow” Admin
If you hire a developer for a one-time fix, don’t leave their Administrator account active forever.
- Action: Once the work is done, delete the account. WordPress will ask if you want to attribute their content to another user (like yourself)—always say Yes so you don’t lose any work they did!
