“Unity is strength… when there is teamwork and collaboration, wonderful things can be achieved.”
-Mattie Stepanek

Much like Rome, great websites are not built in a day. Nor are they generally built by a single person, but by a team of contributors. These contributors will likely have very different roles to play on your website, possibly as blog authors, editors, commenters, subscribers, etc. As the owner or administrator of a website, it’s very important to manage how these various individuals contribute to your site. Thankfully, WordPress makes this a breeze with user roles and capabilities.

First off, a capability is simply an action that a user may take on a WordPress site. For example, “Edit post” is a capability that a user may or may not have. A role, then, is simply a set of capabilities that’s given a special name. The “Editor” role contains the “Edit post” capability, among many others, and so any user designated an Editor has the ability to edit posts.

By default¹, WordPress has six user roles: Super Admin, Administrator, Editor, Author, Contributor, and Subscriber. These roles are listed in order of strictly descending privilege. That is, each role has fewer capabilities than the role before it, with Super Admin possessing all capabilities, and Subscriber possessing very few. Let’s dive into what these different roles can do:

Super Admin

The Super Admin role is the most privileged user role, but doesn’t tend to get used on most WordPress sites. In fact, the Super Admin role is almost identical to the Administrator role, but with a few added capabilities that allow for the management of a network of WordPress sites. This is a slightly advanced topic that we won’t cover here, but suffice it to say that most website owners won’t find themselves needing to use this role.

Administrator

Every capability that doesn’t involve WordPress networks is available to the Administrator role, which is used to manage the back-end of a site. Everything from installing plugins to editing, publishing, and deleting posts is available to an Administrator. As such, it usually makes sense to only have one admin user on your WordPress site, and to use this role solely for general administration and back-end work.

Editor

An Editor is capable of managing, editing, and publishing all posts on a WordPress site. As it’s name suggests, this role is great for individuals whose job description involves any copy editing, quality assurance, or revision responsibilities.

Author

This role allows an individual to publish and manage their own posts, but not those of other users. This is the perfect role for someone that you trust to proofread and subsequently publish content. If, however, you’d rather delegate the content approval and editing to someone with the Editor role, then you might instead choose…

Contributor

The Contributor differs from the Author in only one major respect: they cannot publish their own posts. Someone with Editor privileges or higher must publish their posts for them, and afterwards they cannot make revisions to the published post without having it converted back to a draft. This is a great role for someone who should be able to contribute to a site, but whose work might need to be checked and/or revised before it can be pushed live.

Subscriber

A Subscriber is only capable of reading content and managing their user profile. The major advantage of the Subscriber role is that it allows a website owner to build a membership base by restricting content to users who sign up. Having a membership base not only fosters a sense of community around your site, but also allows you to follow up with users through newsletters, email, and the like.

OK, but so what?

You might ask: “Is all of this user management really necessary? Can’t I just make everyone an admin?”

I might say, in reply: “Yes it is”, and, “That’s probably a bad idea”. Here’s why:

Efficiency
Giving people access to capabilities that they don’t need is a good way to make them less productive. Anyone that’s ever looked at the WordPress Dashboard on an Administrator account knows that it can get complicated; for your average blogger or part-time contributor, cluttering the screen with unnecessary menus can be downright confusing. Simplifying the interface by assigning people to the appropriate roles will help people do their jobs better and faster.

Fault-Tolerance
Anyone that works in a typical office building would say that letting the receptionist poke around in the boiler room is a recipe for disaster, even assuming they’re well-intentioned and competent. It’s really no different with websites: allowing writers and copy-editors access to site-critical files and technical resources is just tempting fate. Everyone makes mistakes, especially when they have to sift through a bunch of menus they don’t understand to access the tools they really need.

Security
Here’s the bottom line: failing to control what contributors can do to your site is, at best, an efficiency bottleneck. At worst, it can be a major security flaw. In the field of computer security, there’s a tried-and-true paradigm called the principle of least privilege, which states that users should only be given access to the resources they absolutely need to do their work; no more, no less.

Here’s a popular analogy that demonstrates the sensibility of this policy: consider a security guard that works at an office building. We’ll call him Bruce. Let’s say that Bruce’s job description involves patrolling the perimeter of the building and the parking garage to ensure that nothing suspicious is going on. For this role, Bruce really only needs access to the fence surrounding the building and to the garage. But what might happen if Bruce’s key ring (or, to use the more 21^st-century prop, his ID card) allowed him to access every room in the building? Then, a couple of very bad things might happen. Bruce might go rogue and decide to use his access capabilities to do something bad, like steal the CEO’s paperweight. Or, just as plausible, Bruce might misplace his key ring, which is then found by some other untrustworthy person.

Replace the office building with your website, and Bruce with one of your contributors, and it’s quite easy to see why the principle of least privilege makes practical sense. Giving users more power than they need is simply unsafe, and there’s zero sense in doing it. Be smart: use roles to your advantage and manage your website like a pro.

Take the First Step

Interested in leveraging user roles to secure and streamline your content management? Let’s talk!

References

¹ It’s worth noting that the default roles in WordPress are extensible, meaning that you can edit them, as well as add new roles. That is, as long as you’re willing to do some programming.