Every person who has a login to your WordPress site is assigned a user role. This is used to assign people into categories and dictates what the person can and cannot do while logged into WordPress. Users in WordPress are generally grouped into 6 different roles.
The default WordPress roles are:
1. Administrator
When you install a new WordPress site, the very first user is automatically assigned the role of administrator. As the name implies, anyone with the administrator role, has the ability to do anything and everything in WordPress. In most WordPress setups, only one or two people have an administrator role.
The users with this role have access to everything, thus they have access to make changes, including adding/removing plugins and editing themes, that you may not approve of so use caution when giving a user the administrator role.
2. Editor
The editor role is for users who manage content on a site. They have the ability to create, edit, delete, and publish posts and pages. They can also edit, delete, and publish posts and pages owned by other users. In addition to managing content, users with the editor role can manage comments, categories, and links.
3. Author
The author role is for anyone who writes content such as a regular blog contributor. Anyone with the author role can only create, edit, delete, and publish their own posts.
4. Contributor
The contributor role is a limited ability role that allows users to create and edit their posts only. They can not publish or delete any posts or pages. This is great for a one-time guest blogger.
6. Subscriber
The subscriber role is very limited and they only change users assigned this role can make is to their own profile.
While the subscriber role doesn’t look like much, it plays an important role in using WordPress to create a membership site. Most membership plugins rely on each member having a WordPress user account. Since you probably don’t want them to have access to the backend of your account, with a subscriber role they cannot access anything important.
As you can see, user roles play an important part of WordPress security. Don’t give anyone access they don’t need.
How To Add a New User
Adding new users in WordPress is simple but keep in mind that only users with the administrator role can add new users. You will need the users name, email address, and to know what role to assign the user before beginning.
1. From the WordPress admin menu, click on the “Add New User” option under “Users”.
2.Fill in the appropriate information.
3. A username and email are required. While it’s tempting to use a first name as the user name, for security reasons it’s not recommended.
4. It’s helpful to add the user’s first name, last name, and the user’s website, especially if your theme displays blog post author’s information.
5. The “Show password” button will allow you to change the password from the password WordPress has automatically created. Under normal circumstances, you do not want to do this.
6. Always keep the “Send User Notification” box checked. This is how the new user receives their username, password, and login link.
7. Select the appropriate role for the new user. Be sure not to give them more access than needed.
8. After you have confirmed the username, email, and user role, click on the “Add New User” button to create the user account.
Once a new user account has been created, the administrator and user will both get emails confirming the account creation.
The User Profile
Each user can update their profile as they see fit regardless of their assigned role. Users are able to change their email address, name, color scheme used in the admin area, nickname, name shown on the site, website address, bio, and password. If the user has the ability to create and edit posts or pages, the option to turn off the visual editor and keyboard shortcuts will also be available.
A detailed description of each profile option is listed below.
Visual Editor – By clicking the box to disable the visual editor while writing will make it so you can only type in text in your posts and pages. With sites using the Gutenburg editor, you will not be able to add any blocks to your content. With sites not using the Gutenburg editor, you will only have the HTML tab of the editor.
Admin Color Scheme – By default WordPress allows users to choose from 8 color schemes to decorate the admin area. This only affects the admin area and not the publicly seen pages controlled by a theme.
Keyboard Shortcuts – By clicking this box you are enabling keyboard shortcuts. If you love using your keyboard for moving around in apps, this is a great option for you. More information on the shortcuts can be found at https://codex.wordpress.org/Keyboard_Shortcuts.
Username – A user’s username can not be changed. If a different username is desired an admin must create a new account for that user with the desired username and then delete the unwanted one. A username is created when a user is added or when WordPress is first installed. For security reasons you should not use names such as admin, user, etc…, as those are easily guessable.
First Name – The first name of the user. If a blog post is set to display the author’s first name this is where the name comes from.
Last Name – The last name of the user. If a blog post is set to display the author’s last name this is where the name comes from.
Nickname – Nickname is another required field. From this dropdown box, you can choose how a user’s name is displayed throughout the site. You can choose from a mixture of username, first name, and last name combinations.
Email – Email is a required field which can be updated when needed. The email for the user should be kept up-to-date at all times. All password reset emails, comment notices, and other WordPress system emails to the user will go to this email account.
Website – This space is for the user’s website. This is used mainly for blogs that have multiple authors who also publish content in other places. Many themes will use this information in the author bio area.
Profile Picture – The profile picture is the image that will appear next to your comments and anywhere else it is required, such as an author bio. You can not change this directly in WordPress but through Gravatar, from the same company that owns WordPress.com, Automattic.
New Password – This is the button to click on if you need to reset a user’s password.
Sessions – If you are logged into the WordPress site in multiple locations or devices, you can click on the “Log Out Everywhere else” button to log out of those instances. This is a great security feature, especially if you tend to log in to WordPress in public places like a library.
Please keep in mind that some WordPress plugins and themes may add or take away options in the user’s profile. Everything listed above is what is shown in a new WordPress install running WordPress 5.2.2.