Setting up custom WordPress user roles (+ access restrictions)

Want to know how to add and edit WordPress user roles? Keep reading to discover how to use a WordPress user role editor and restrict access to different parts of your website based on user role.

Your WordPress site’s security isn’t just about firewalls and strong passwords - it also depends on how you manage user access. By default, WordPress provides several user roles, each with its own set of permissions. However, these roles might not fit your specific needs, leaving gaps in security and access control.

Without the right user role setup, you risk unauthorized changes, accidental content deletions, or even security breaches. Whether you’re running a membership site, an online store, or a private blog, editing WordPress user roles ensures that the right people have the right level of access - no more, no less.

In this guide, you'll learn:

By the end, you’ll have a secure, well-structured user role system that keeps your site running smoothly while protecting sensitive areas from unauthorized access. Let’s get started!

Set up WordPress user roles

By default, WordPress comes with five user roles:

• Subscriber
• Contributor
• Author
• Editor
• Administrator

User roles in WordPress are designed to give site owners the ability to control what users can and cannot do within their website. They let the site owner manage the user’s access to different tasks including writing and editing posts, creating pages, creating categories, moderating comments, adding widgets, managing plugins, managing themes, and managing other users.

By allocating specific user roles, you can control the areas of the site that you want to give a person access to.

• For instance, if you just need someone to help you publish new posts, they don't need a user role higher than the Author.
• Or, if you want someone to help with drafting new content, but not allow the option to publish, then the Contributor role is perfect.

I could go on with these examples, but you probably get the idea by now. By assigning roles in WordPress you can have multiple people working on the same site handling different tasks and responsibilities. Let’s quickly take a look at each user role available in WordPress itself. After that, I'll tell you how to edit WordPress user roles, create additional user roles, and use them to control who can access the front end of your website.

Super Admin

In WordPress multisites, Super Admins have unrestricted access to create, modify, and delete sites within the network. They can also manage users, plugins, and themes across all sites.

• Use Case: Ideal for organizations running multiple websites that require centralized control over network-wide settings.
• Security Implications: Because they hold ultimate authority, limiting Super Admins to a select few trusted individuals is critical. Any compromise of a Super Admin account could result in total loss of control over all sites in the network.

Administrator

Administrator is the highest ranking user role on WordPress sites that are not multisites.

Admins have the ability to add, edit, and delete plugins, pages, posts, published posts, themes, categories, taxonomies, links, and tags. People with the Administrator user roles can also moderate comments, export and import files, create and access private posts and customize the layout of pages by adding blocks. In addition to this, they can view the entire admin menu from the WordPress back-end and edit other WordPress user roles.

• Use Case: Best for those responsible for site maintenance, such as configuring plugins, updating content, and troubleshooting.
• Security Implications: Since Admins have full access to the site, it’s recommended to have as few as possible. Grant Admin access only to individuals who absolutely need it to prevent accidental misconfigurations or security breaches.

People often refer to the Administrator role as 'Admin'. For example, you might say "A WordPress site should have as few admins as possible for security reasons".

Editor

The Editor user role in WordPress has access to posts, pages, and categories on a website only. They do not have control over plugins and themes, site settings, and users.

• Use Case: Suitable for teams managing blog posts, news updates, or other content-heavy websites.
• Security Implications: While Editors can’t alter site functionality, they can delete or modify any published content. Assign this role cautiously to prevent unauthorized changes to key site pages.

Author

The WordPress Author user role has limited access on a website. This medium-risk user role grants users access to publish new posts. They can also edit and delete their own posts, but can't edit other people's content.

• Use Case: Perfect for regular blog contributors who don’t need access to other site areas.
• Security Implications: Since Authors can publish content without approval, ensure that only trusted users receive this role to avoid publishing errors or inappropriate content.

Contributor

The Contributor user role on a WordPress website can add new posts and edit their own posts. However, their posts must be approved by a user with a more senior role in order to get published on the front-end. For this reason, they see very few menu items after logging in:

• Use Case: Ideal for teams that require content review before publication, such as news sites or corporate blogs.
• Security Implications: Since Contributors can’t publish content, this role minimizes the risk of unauthorized or low-quality posts going live. However, they can still access and modify draft content, so supervision is necessary.

Subscriber

Subscriber user roles have the lowest form of control. That's because they can only log in to the WordPress site, update their user profiles, and change their passwords. They have no access to edit actual website content.

• Use Case: Useful for websites requiring user registration, such as e-commerce platforms, discussion forums, or private content access.
• Security Implications: Since Subscribers have no access to website settings or content, they pose minimal security risks. However, spam registrations should be controlled using CAPTCHA or other verification methods.

Choose the right role

When you need to let people edit a WordPress website, don't just give them the Administrator role. That's a bad idea because:

Because of this, you should always give people the lowest role that would enable them to do the work they need to do. If they need full access to edit the content on your site, then give them an Editor account rather than Administrator. If you'll be checking their work prior to publication then they only need Contributor.

For quick reference, here's a useful decision flowchart for role selection:

Add new users safely

Managing user roles correctly is crucial for maintaining control over your WordPress site. Assigning the right roles prevents unauthorized access and reduces security risks. Here’s how to edit WordPress user roles and update user data safely.

How to change a user’s role in WordPress

Changing a user’s role is simple and allows you to adjust access permissions as needed:

1. Go to the Users tab in the WordPress admin panel.
2. Select the user(s) whose role you want to change.
3. Use the Change role to… dropdown menu to select a new user role.
4. Click Change to apply the update.

Best Practice: Regularly review and audit user roles to ensure that only necessary permissions are granted. Remove outdated accounts or downgrade permissions when access is no longer needed.

Warning! Avoid granting Administrator access to users who don’t need it. This significantly reduces the risk of accidental changes or security breaches.

You can also change a user’s role from their profile page:

1. Navigate to Users → All Users and click on a user’s name.
2. Scroll down to the Role section, select a new role, and click Update User to save changes.

How to edit user data in WordPress

WordPress allows you to edit and manage user details, including profile information, passwords, and customer data:

1. Navigate to Users → All Users in WordPress.
2. Click on the Edit button to navigate to the Edit User page.
3. You can modify and edit the fields here. You can set general information about the user, their contact information, set a new password, or send a reset link, and also edit customer billing address and information.
4. Once you are done making changes, click on the Update User button at the bottom.

Best Practice: Enforce strong passwords and enable two-factor authentication (2FA) for high-level roles like Administrators and Editors. Never use generic usernames like "admin" for high-privilege accounts, as they are common targets for hackers. Encourage unique usernames and strong authentication measures.

By following these steps and best practices, you can manage user access efficiently while keeping your WordPress site secure.

Secure your user roles

Managing user roles is not just about assigning permissions - it’s also about protecting those roles from unauthorized access. Administrator accounts, in particular, require strong security measures since they have full control over your site.

You can do this by ensuring that all your user accounts are secure, and by controlling which parts of your site each user role can access. I'll tell you how to do both these things.

Best practices:

• Keep the number of Administrator accounts to a minimum.
• Avoid using common usernames like "admin" that are easy targets for hackers.
• Restrict access to the WordPress admin panel by limiting login attempts or using IP-based access controls.

A well-managed admin role structure reduces the chances of unauthorized changes or malicious attacks.

Enable multi-factor authentication (MFA)

Adding multi-factor authentication (MFA) to your login process significantly strengthens security. Even if a password is compromised, MFA prevents unauthorized access by requiring a second verification step, such as a code from a mobile app or email.

How to implement MFA:

• Use security plugins like Wordfence, Solid Security, or WP 2FA to enable MFA.
• Require MFA for all Administrators and Editors.
• Encourage other users to enable MFA for added protection.

Weak passwords remain a major vulnerability. Combining MFA with strong password policies ensures that even if one layer of security fails, there is another in place to protect the account.

Monitor admin access and user activity

Tracking user logins and role changes can help identify unauthorized access before it becomes a problem. Regular monitoring ensures that no unexpected role escalations or suspicious logins go unnoticed.

How to monitor access:

• Install security plugins like WP Activity Log or Sucuri Security to track logins and role changes.
• Set up alerts for failed login attempts or unexpected administrator account creation.
• Periodically review user roles to ensure no one has unnecessary privileges.

By actively monitoring user activity and securing administrator access, you can prevent unauthorized changes and keep your WordPress site protected.

Control content access

The User Role Editor plugin offers a robust solution for editing user roles in WordPress. However, it does not let you control which part of your website is available to each user on the front-end.

For example, while User Role Editor lets you create a "VIP Members" role, you can't use it to restrict which parts of your membership site they can access. That's because the permissions that you can edit with User Role Editor only control access to the WordPress back end.

To get this extra functionality, I recommend using User Role Editor with the Password Protected Categories plugin. This lets you choose which parts of the front end of your WordPress site each user role can access. It lets you create hidden areas within a WordPress site or blog which only specific user roles can access. This is the easiest way to create custom user roles in WordPress and control access to your website front end.

It works by giving user role access to the categories and taxonomies on your site. This includes the categories for pages, posts, and any custom post type. For instance:

• You can hide access to blog categories that contain premium content meant exclusively for Subscribers. This way, only people with the Subscribers user role will be able to access the exclusive blog posts on your website.
• It's possible to create a hidden members-only area that only user with the VIP Member role can access.
• If you're using a WordPress events plugin to let employees book training courses, you can restrict your event categories to your custom 'Employee' role.

Any type of content in WordPress can be structured into categories. This makes Password Protected Categories the perfect solution to edit user role access to each part of your site.

For even more fine-grained control, Password Protected Categories also offers a 'User' feature. This lets you select individual user accounts to give access to, in addition to whole user roles.

Setup instructions

1. Start off by installing and activating the Password Protected Categories plugin on your WordPress website.
2. Next, go to the section of the WordPress admin where you add and edit categories for the type of content you want to restrict. For example, if you're giving user role access to a blog category then you'd go to Posts → Categories. (Tip: If you need to restrict access to pages by user role, then you need to set up the ability to create page categories using the free Add Category to Pages or Category Tag Pages plugin.)
3. When editing or creating the category, find the 'Visibility' section on the left. This is where you control access based on user role.
4. Next, select each user role you want to grant access to:

5. When you're done, click on the Add New Category button.
6. Next, it's time to add all your exclusive content to the private category.

Now when people log into an account which has one of the user roles you selected in step 4, they will be able to see the hidden content. Make sure it's easy for them to access by adding a link to the category to your navigation menu. Only logged in users with the correct roles will see these menu links.

If you don't already have a front end login form then I recommend adding one with the free Theme My Login plugin. This makes it easier for your custom or edited roles to log into their account without having to visit the WordPress dashboard. You can also use Theme My Login to redirect each user role to a different page when they login:

Set up custom WordPress user roles

Above, I explained what are the default user roles in WordPress and when to use each one. But what happens if none of the default roles meet your needs?

Fortunately, it's possible to create and edit WordPress user roles. You can either create brand new roles with the exact permissions you need, or edit user roles to change the privileges. I'll tell you how to do that next.

First, we'll look at how to use the free User Role Editor plugin to create and edit WordPress user roles. You can use this plugin to edit roles and choose what level of access they have to edit the WordPress back end. However, this won't let you control which parts of the website each role can access on the WordPress front end - we'll do that with the Password Protected Categories plugin later in this tutorial.

How to edit the privileges for a WordPress user role

1. Install the User Role Editor plugin on your WordPress site.
2. Navigate to Settings → User Role Editor.

3. Make sure the Edit user capabilities checkbox is selected and click on the Save button.

4. Now navigate to Users → User Role Editor and select the user role you want to change the privileges for.
5. Select the privileges you want to enable or disable for the selected role. Click the "Show capabilities in human readable form" to make the meaning of each permission easier to understand.
6. Click on the Update button to save changes.

You can also delete user roles if you’d like.

How to create new user roles in WordPress

Sometimes, it's better to create a brand new WordPress user role instead of editing an existing role. For example, imagine that you want to create a 'VIP Member' role for people who have special access to parts of your website. It makes sense to create a dedicated role instead of editing one of the default roles in WordPress.

1. Install the User Role Editor plugin on your WordPress site.
2. Start by navigating to Users → User Role Editor and click on the Add Role button.

3. Give your new user role a unique name and select an existing user role to duplicate. It's easiest to clone an existing user role that has similar privileges to those you want to grant to the new role. You can later make changes to the new role's permissions as needed.

4. Once you’ve finished editing the privileges of your new user role, click on the Update button to save changes.
5. Now you can select the new role when adding new users. Alternatively, you can use the instructions above to move existing users to this role.

Creating custom user roles with code

If you prefer not to use a plugin, you can create a new user role in WordPress using a few lines of code. This method gives you more control over permissions while keeping your site lightweight by reducing plugin dependency.

To add a custom user role, insert the following code into your theme’s functions.php file or a custom plugin:

This code creates a new role called "VIP Member" with limited capabilities, allowing users to log in and upload files but not edit or delete posts.

Best practices for custom roles in code

• Define precise capabilities: Only grant the permissions necessary for the role’s intended function. Avoid giving broad privileges unless required.
• Use a custom plugin: Instead of adding roles in functions.php, consider creating a simple custom plugin to manage roles. This prevents losing roles if you change themes.
• Remove unused roles: If a custom role is no longer needed, remove it with remove_role('vip_member'); to keep your site clean and secure.
• Test thoroughly: After adding a new role, create a test user and verify that they have the expected access and restrictions.

By using this approach, you can create and manage custom user roles programmatically while maintaining security and efficiency.

Get started with Password Protected Categories

In this tutorial, you've learned how to:

Using a WordPress role editor plugin like this is a great way to make your website more private. It also lets you create exclusive content and grant access to specific user roles only. This is great for running and managing a membership site.

Password Protected Categories offers a robust solution for restricting access to parts of a WordPress site based on user role. It makes it incredibly easy to edit WordPress user role access to each part of your site 💪