How to Handle Permissions on Your WordPress Site

When you set up your WordPress website, you might not be the only person who will be using that site. There may be others who are a part of your business and helping out with various aspects of the website. This is true whether you have a large or a small business, and even those who are running a humble hobby site in hopes to make a little bit of extra money. Since there may need to be other people who have permission to access that site, or at least certain parts of the site, that are behind the scenes, you will need to provide those permissions.

While this is to do with your site, it can also add some elements that you can’t control, which could put your WordPress security at risk if you are not careful. It is essential to understand the types of permissions possible, and which ones might be needed. You also need to make sure that you are working with responsible people and that you trust that they also take security seriously. Let’s take a closer look.

What Types of Roles Are Available?

By default, there are several different types of roles on a WordPress site. These include the admin, editor, author, contributor, and subscriber.

Naturally, the administrator will have the most potent role and will have access to more parts of the site. They can add and edit all posts on the site, and they can delete posts. The admin will also be able to install, edit, and delete themes and plug-ins. The admin is also able to add new users to the site, change passwords for existing users, and delete users. They can even delete other admins. Because this role is so powerful, only the site owner – you – should have that role. Putting it into the hands of anyone else is a WordPress security problem just waiting to happen.

The editor or editors of the site will have control of the content on the website. They will be able to add, edit, publish, and delete posts like the admin. They can also moderate, edit, and delete comments. However, they do not have any permissions to change settings to add or remove plug-ins and themes, etc. They will have a limited role.

Authors can write, edit, and publish posts to the site. They will also be able to delete the posts that they have written. They are not able to create categories, though, so they will have to choose to add the post to categories already in existence. An author can view comments, but they will not be able to do anything else with them. This is a limited role.

Contributors are similar to authors since they can add and edit their posts. They are not allowed to publish any posts, though, even if they were the ones who wrote them. They are not able to create new categories either. Both authors and contributors can add tags to their work. This is a limited role, as well.

Subscribers can log into the site and update their profiles and change their passwords. They do not have any of the other permissions of the above roles. Some sites will require that someone be a subscriber and logged in before they can leave a comment on the site.

The above are the leading roles, but there is also the option of customizing roles if needed and if it will work better for your site’s needs. However, you have to think about how the use of any roles, customer or otherwise, will affect your WordPress security.

Does Everyone Need to Have Roles?

Often, having too many people who can log into your website, particularly at any level above subscriber, can be dangerous. The more people that have permissions on the site, the higher the chance that something could go wrong. This is especially true when they are at a higher level, such as admins. Having too many admins can put your WordPress security at serious risk. You might want to rethink who has access to the site and what permissions they will have available. If you can reduce the number of people with access, it could help to boost security.

Do You Trust Everyone?


Mr Bean Idea by Working Title
Mr. Bean Idea by Working Title. Picture by workingtitlefilms on Giphy.

While you might believe that you can trust everyone who wants to help work on your site, the sad truth is that you can’t. In some cases, people could be malicious and vengeful if you do something that might upset them. For example, someone who does poor and fired from the company may be upset about this; they could damage your site before they leave.

Other people do not realize the seriousness of the information they have (a password that gets them in to the website), and they could have that information readily available in their email, which could be hacked.

You always need to be careful whenever you are assigning people permissions to your site. They need to be trustworthy, and you should never feel bad about stripping permissions if necessary.

What Else Can You Do to Improve WordPress Security?

When you have multiple people working on your site with you, make sure that they pay proper attention to the security needs of the site. They should be required to change their password monthly, and they need to be sure they are using quality passwords that cannot be easily hacked or guessed. They should get into the habit of logging out of the system when they are not using it, as well.

You should have a WordPress firewall added, and you should look at investing in plug-ins that will be able to help you find other security risks and take care of them. The last thing you need is to have to deal with a hacker when all you are trying to do is run your site.

Save 40%

On monthly and annual plans

Lifetime Deals

Only during BF sales!




We won't spam you. Unsubscribe any time.

Wait! Before you go!

Get 10% discount for any WP Security Ninja plan!


Subscribe to our newsletter for new releases, discounts and general WordPress Security news. Sprinkled with other interesting stuff :-)

WordPress Turns 20: Save 20% Now!



Code valid till June 26th 2023

10% OFF

Subscribe to our newsletter

* We do not spam or share your email

Discount on any Security Ninja plan

and get

Hi and welcome back :-)