How to Set and Limit Permissions for WordPress Blog Authors
There are two kinds of WordPress blogs: those with a single author and those with multiple authors.
Blogs with a single author don’t need to worry about anything I will write in this post unless you’re planning to expand into a multi-author blog in the future. Why not check out something else in my blogging category for now? I’m sure I have tips to help you with something you need.
Blogs with multiple authors also come in two forms.
1. The first is blogs where multiple authors contribute, but all of the content on a single-author blog is typically published by the first account, an Admin account. This example is the most common among novice bloggers and bloggers who want to use ghostwriters. I usually recommend to at least rename the admin account (like how mine is James Parsons), but that’s not really what today’s post is about.
2. The second kind is blogs that set each author to have a unique author role with limited permissions. For example, if you check out the Ahrefs blog, you’ll find different authors’ posts with their bylines and profile pages. See:
Blogs generally use this method with multiple contributing authors who are not ghostwriters and, thus, get credit for their work. I’ve also seen it used by blogs that use ghostwriters and create fake accounts for multiple people to make the blog seem more significant. Sites like Ahrefs probably don’t do this, but small websites with very little traffic but multiple authors might. I’m not here to judge the practice, though, only to mention it.
The primary conflict with multi-author blogs comes within the WordPress dashboard. If you create an admin account for a new writer and give them access, they have, well, access. The default WordPress account uses the admin role, and that means the author will have access to everything from theme and plugin information to admin controls. They could even delete your account, add new plugins or remove plugins, delete or edit posts or pages that weren’t created by them, or even change your source code.
That can be fine if you’re a small blog with a close-knit team and you trust your authors implicitly. For most businesses, though, it’s a bad idea, and all sorts of things can go wrong!
- If a writer leaves, you need to disable their access so they can’t do things like poaching keywords on their way out.
- If you fire an author, you need to make sure they can’t do damage on the way out.
- Your authors need discipline and training to ensure that they don’t mess with or break anything in the admin console they shouldn’t touch.
- Accounts can get compromised or hacked, and accounts with elevated permissions could end up in the hands of an attacker without your writer’s knowledge.
These and similar issues can crop up. In a way, you can think of it as similar to a closed facility with security, like a government building or a military base. The general public doesn’t have access to more than a few facilities if any. Low-level workers have access to the least secured areas, just enough to do their jobs and nothing more. Only people with higher clearance get access to the deeper parts of the facility.
You don’t want to give someone access to stuff they shouldn’t have. Even if they aren’t malicious about it, ignorance can damage a site, and if their account gets compromised, you don’t want hackers to have access that could cause irreparable damage.
The answer to this problem is not unheard of. It’s not even uncommon. It’s called user access controls, and it’s part of role management in pretty much every business platform ever made for teams. WordPress is no exception. So, how can you do it?
Default WordPress User Roles
Both WordPress.com and WordPress.org come with user role support out of the box. It’s not ideal for managing a large site with many people working on it, but it’s okay for smaller websites that are dipping their toes into the world of teams.
WordPress has six roles by default. They are:
- Super Admin. These are the site owners, the people with complete and total control over everything on the site. They have every capability, and then some. They are also the only user able to manage linked websites as part of a multisite. You will only see this role if you have Multisite mode enabled.
- Admin. These are the same as Super Admins in that they have total control over everything on the site. They can change themes, update site information, alter settings, publish or remove content, and everything else. Unlike Super Admins, they are limited to just one site.
- Editor. These are accounts with control over the site content but not infrastructure. They can publish, edit, and remove content, manage comments, and more. However, they cannot do things to the site itself, like changing the theme or settings.
- Author. These are accounts with controls over publishing and editing content, but only their content. They cannot change the content of other authors the way Editors can.
- Contributor. These author accounts can write and edit content but cannot hit the “publish” button on it. That requires review and approval by an Editor or higher account.
- Publisher. These are highly-limited accounts that can’t do much of anything beyond managing their account settings.
The trick here is that the first WordPress user that is created is, by default, an Admin account. Since your account is an administrator, that means that if you want to add a new author, you need to specifically choose the contributor/author/editor role for them as appropriate. Otherwise, you give them way more access than they should have. This situation can be a big problem if you’re prone to oversights. It’s always better to create new accounts than to share access to your administrator account.
Additionally, these roles are flexible. You can change every role by using PHP functions add_cap() and remove_cap() to add or remove specific capabilities. Capabilities are things like edit_themes, edit_plugins, manage_options, moderate_comments, upload_files, and more. You can see the complete list here.
Do you see the problem here? I do:
Using the default roles isn’t necessarily bad, but sometimes you want to add or remove functionality from a role to suit the needs of an individual working for you. It’s tricky and annoying to get right. Moreover, since it involves using custom PHP, you need to do it right, or it could break your site.
If WordPress updates significantly in future releases, this code may also break and require updating.
Enter User Role Editor
The User Role Editor plugin is probably the #1 go-to role management WordPress plugin. It’s active on over 700,000 WordPress sites, and it gives you most of what you would want to use it to do for free. Of course, it also has paid versions with additional features, some designed for agencies or multisite platforms, for varying pricing tiers.
What does it do? It takes all of the add/remove roles and add/remove capabilities from roles functionality and gives it a shiny friendly interface. Instead of mucking about with PHP, you choose a role, select checkboxes, and you’re good to go.
The other feature that I consider near-essential that User Role Editor has is changing the default for a new account. You can choose to make brand new accounts default to, say, contributor, subscriber, or even a custom role with specific permissions. That way, you never run the risk of a new user having more permissions than they should, which keeps your WordPress content and plugins safe from tampering.
Many users are happy using the default user roles, but creating custom user roles isn’t too difficult once you get the hang of it.
Alternatives to User Role Editor
If (for some reason) you don’t want to use the most popular role editor plugin, there are other alternatives you can try.
Here are a few:
- User Role – User Role is simple, lightweight, easy to manage, and free of cruft. The biggest downside is that you need the pro version to create more than a handful of custom roles, but that won’t be a problem for most smaller sites.
- Members – This is a powerful plugin that combines user roles with user membership options. It lets you add multiple roles to one user, and it works with the membership plugin MemberPress (if you use that).
- PublishPress Capabilities – This is a nuanced user role editor that also gives you the ability to hide even specific features of the Gutenberg or basic editors from particular roles if you want to limit what kind of capabilities authors have.
There are other plugins out there as well, but you get the idea. Most of them do pretty much the same thing, so it’s just a matter of thinking about additional features you want to use and finding a plugin to manage them. I wouldn’t get a plugin with extra features you don’t plan to use, though; for example, I don’t bother with membership sites, so having Members wouldn’t be ideal for me.
When running a multi-author blog, you have a few options for how you want to do it. I’ve seen some sites create a central Author account and tell everyone to use it, but that’s not much different from just creating an Admin account and having everyone give you their content.
1. The most common option is to give everyone an account with all users using the same Author role. They have precisely the permissions you want them to have, and you can remove permissions from the role if you find that they’re being abused. For example, if you find that your authors are all ignoring comments (or approving spam comments they don’t realize are spam), you can remove comment moderation from the role and do it yourself.
2. Another option is to create a unique role for each author. You can customize their permissions according to their place in your hierarchy. You might have an author who can do just about anything and another author who only has publication abilities and then create a new editor or admin account for oversight. This method allows you to customize a user’s capabilities without finding the role that best matches what they should be able to do. The biggest problem is that it creates a massive pile of roles you have to keep track of and manage, which can get tedious and challenging.
I’ve seen that option used well for freelance-to-author hires. You pick up a freelancer and give them a contributor role to write and save a draft, and you can now restrict author privileges and restrict categories. For example, you can set it so that they can’t publish content themselves without review, they can only edit their own posts, edit their user profile, and they can’t change any of your core WordPress functionality. Once they’ve proven themselves, you gradually give them more power to create new posts, publish posts under specific categories, access the media library, and use other parts of the WordPress admin area. It can work out.
3. Another option I’ve seen (but don’t recommend) is to create a specific user for a guest posting role. This kind of role would allow a guest contributor to step in and manage their content directly with an account on your system, rather than the usual process of sending you the content to be published manually. Guest contributions are not unusual, but they usually don’t need dedicated access to your site. Guest posts should always be heavily edited and reviewed anyway to prevent damage to your reputation with search engines.
4. Finally, creating an Agency role is something I always do for my clients, or rather, advise that they do for me. I need access to their sites to handle their content marketing, but I neither need nor want to edit core site information like theme, site name, or other data. I would, however, like to have access to adding and changing plugins (for SEO purposes) and optimizing site speed. I do more than just surface-level content marketing, after all, and an Agency role that pares down unnecessary access but still gives me more than an author/editor role would be essential.
How Do You Manage Roles?
Do you run a site with multiple authors or contributors? If so, what do you do to manage roles? I’m curious what kinds of options other people have come up with. My use cases are bred out of my experience and what I find most convenient to use while maximizing security for myself and my clients. Let me know what you’ve done to your sites below!