Join Jeff Starr for an in-depth discussion in this video Understand users and roles, part of WordPress: Developing Secure Sites .
- View Offline
- [Instructor] In this video, we'll explore how WordPress uses roles and capabilities to handle its registered users. A good understanding of this helps you keep your users where they're supposed to be and away from things they shouldn't be messing with. Here we are at the WordPress Users page where we see our registered users. Myself, and five others. WordPress gives us an overview of their names, e-mails and roles. To better understand what we're looking at here, let's check out a visual showing the default roles used by WordPress.
By default, WordPress provides the following roles: Administrators, Editors, Authors, Contributors, and Subscribers. Each of these roles is granted a default set of privileges called capabilities. If needed, a role's capabilities may be changed via plugin or theme. As expected, the user who installs WordPress is an administrator, and administrators can do it all. They can install plugins and themes, create and manage users, import and export content, and manage settings.
Plus, administrators can do everything that other roles can do. Next there is the Editor role which includes capabilities such as publish and edit posts, moderate comments, manage categories, and upload files. Additionally, editors can do the same things that authors and contributors can do. Author capabilities include edit, publish, and delete posts, and upload files. Authors can also do everything that contributors and subscribers can do. Contributor capabilities include editing and deleting posts, plus they can read, which is the only thing that subscribers can do.
Subscribers can read. Basically subscribers are the same thing as visitors, only they are registered with your site, and if WordPress Multisite is enabled, the regular admin role becomes Super Admin. Super Admin is granted additional capabilities for managing your network of sites. Super Admins can manage sites, users, themes, settings, and the entire network. Plus, Super Admins have all the same capabilities as regular administrators, so they're basically all powerful when it comes to WordPress.
Before enabling Multisite to check out the Super Admin role, let's return to the Users page in regular non-Multisite WordPress. Here we see each user's role listed in the Role column. Notice that there are two administrators at this point, WordPress User and User 6. WordPress User was created during installation and User 6 was added after WordPress was installed. Once Multisite is enabled, both of these admins will become Super Admins. To see this, let's pause for a moment to enable WordPress Multisite.
Now with Multisite enabled, we click the Network Admin link in the upper left corner. Then go to the Users page. As seen here, when Multisite is enabled the two administrators now have Super Admin capabilities, but let's say that we want User 6 to be a regular non-super administrator. To do this we click the username, and uncheck the option to Grant this user Super Admin privileges. Then click Update User to make it so.
After saving our changes we can verify the role change by visiting the Users screen, and yes, we now have only one Super Admin user as seen here.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security