Introduction to WordPress user roles and capabilities
WordPress defines what a user can and can’t do by using a system of roles and capabilities, but what does this actually mean? Below we’ll analyze roles and capabilities a bit and see how we can alter them with the use of a plugin.
Roles are essentially user groups, WordPress comes with six out of the box. These go from the most basic of subscriber all the way up to the most powerful one of Super Admin. Let’s learn a bit more about them.
- Subscriber: the most basic role a user can have. A subscriber can only read published posts and pages and modify their own profile.
- Contributor: a contributor can create new posts and modify their content, but can’t publish them.
- Author: an author can create, modify and publish their own posts.
- Editor: the editor can do anything an author can do and additionally has the capability of modifying, publishing and deleting other users’ posts.
- Administrator: along with all the above permissions and administrator can handle administrative tasks, such as installing plugins and themes, modifying site settings and more.
- Super Admin: the final user role can only be found on multisite installations and grants the user the ability to create and delete sites, install and activate themes and plugins network wide and more.
Capabilities are essentially permissions, each one grants the user a certain ability. For example
publish_posts allows a user to publish a post they have created, this capability is available to users with the role of author and upwards. As you might imagine the more capabilities a user has, the more powerful they become. A subscriber has a single capability, that of
read which means that the only thing they can visit in the WordPress dashboard is their own profile page under Users > Your Profile. At the moment of writing there are about 60 default capabilities which can be found here.
The default roles and their assigned capabilities will cover the needs of most websites out there. However in some cases they might not be perfect. For example, while contributors can create posts they can’t upload files of any kind, so they can’t add featured or inline images. Another thing that may cause trouble to multi author site owners is that the author role allows users to delete posts that have been already published, which is problematic because an author can create the post, get paid for it and then delete it after it’s published.
By default WordPress does not allow administrators to modify capabilities for user groups, making it hard to fine tune permissions to match their needs. This can be amended by writing some code to add or remove permissions from specific groups, or luckily, by using one of the many role manager plugins available in the plugin directory. Some of the most popular are User Role Editor, Members, Advanced Access Manager, WPFront User Role Editor, Capability Manager Enhanced and User Roles & Capabilities. Basic functionality on all plugins is the same, they will all allow you to modify the capabilities of existing user roles, create new user roles only with the capabilities you need and even create and assign new capabilities.
Creating roles and modifying capabilities
Most likely you are already familiar with WooCommerce, the most popular eCommerce plugin for WordPress. Once activated, WooCommerce introduces a new user role, that of Shop Manager which can be assigned to users that are in charge of maintaining your shop by adding new products, fixing errors, handling orders etc. However this role comes with all the capabilities of an editor, which is something that you might not like. Below we’re going to take a look at how we can create a new role by duplicating the Shop Manager one and then we will remove all capabilities related to the editor role. The plugin we’ll use is WPFront User Role Editor.
After you install and activate the plugin you can go to Roles > All Roles, you should see something like this.
You’ll notice that there are seven roles, the extra ones are Shop Manager and Customer which are added by WooCommerce. If we click on Shop Manager we’ll see what capabilities are assigned to that user role.
There are quite a lot as evident by the image above, luckily their names are pretty descriptive and you can get a pretty good idea of what each one does just by reading them. Now let’s see how the WordPress dashboard looks like for a user with the Shop Manager role.
The shop manager role provides the user with access to WooCommerce options, along with all other capabilities an editor has such as creating, editing and deleting posts, pages and attachments. Now let’s create our more restricted shop manager role. To do that let’s navigate to Roles > Add New. Give the role a name and from the drop down menu select Shop Manager and click Apply.
This will copy over all the capabilities from the Shop Manager role to the new Shop Director one. Now to remove unneeded capabilities. For this example I have unchecked all capabilities related to Posts, Pages, Comments and Links. This will prevent our shop director from modifying posts, pages and comments. This is what I’ve ended up with.
You can fine tune this to make it even more restrictive if you wish so. For example you can remove all capabilities related to orders so only you can manually approve them. Once you are satisfied with the capabilities assigned to your new role click the Add New Role button towards the end of the page to create it. In order to test it we need to assign that role to a user. To do that we need to navigate to Users > All Users. Locate the user you want to assign the role to and click the Assign Roles link.
In the next screen select the Shop Director role from the Primary Role drop down and click the Assign Role button.
That’s it, the role is assigned. Now we’ll login with that account and see if our changes have worked.
Success! As you can see the shop director now has access only to shop related functionality, such as creating and modifying products, handling orders and configuring WooCommerce itself. Post and pages are no longer available for modification which is what we were aiming for.
We hope that after reading this you have a better grasp of what roles & capabilities are on WordPress and how to adjust them to get the functionality you want. If you have any questions please let us know in the comments below.