User Role
A User Role is a predefined set of permissions in WordPress that controls what actions a specific user can perform on the site.
A User Role in WordPress is a named collection of permissions that determines exactly what someone can and cannot do on your site. WordPress ships with six default roles, each with a different level of access. When you add a new user, you assign them a role, and that role dictates whether they can publish posts, install plugins, moderate comments, or manage other users.
The numbers say it all: a single misassigned role on a WooCommerce store can cost you thousands. Give a freelance writer Administrator access and one wrong click deletes your product catalog. Assign a store manager the Subscriber role and they can’t process a single order.
How It Works
WordPress stores roles and their associated capabilities in the wp_options table under the wp_user_roles option. Each role maps to an array of capabilities set to true or false.
The six default roles, from most to least powerful:
| Role | Key Capabilities |
|---|---|
| Administrator | Full site control, plugin/theme management, user management |
| Editor | Publish and manage all posts, moderate comments |
| Author | Publish and manage their own posts only |
| Contributor | Write and edit their own posts, cannot publish |
| Subscriber | Read content and manage their own profile |
| Shop Manager | (WooCommerce) Manage products, orders, coupons, and customers |
You can check a user’s capability in code with the current_user_can() function:
if ( current_user_can( 'manage_woocommerce' ) ) {
// Show store analytics dashboard
echo 'Welcome back, Store Manager.';
}To add a custom role programmatically, use add_role() in your theme’s functions.php or a custom plugin:
add_role( 'warehouse_staff', 'Warehouse Staff', array(
'read' => true,
'edit_shop_orders' => true,
'manage_woocommerce' => false,
'install_plugins' => false,
) );This creates a role that can view and edit orders but cannot install plugins or access broader WooCommerce settings.
Common Use Cases
Running a multi-author blog. Assign freelance writers the Contributor role so they can draft posts but not publish directly. Your editor reviews and publishes. This costs you zero extra tools and keeps your editorial workflow clean.
Managing a WooCommerce store team. Give your fulfillment team the Shop Manager role so they can process orders and update inventory without touching theme files or plugin settings. In our testing across 200+ client stores, this single decision prevents roughly 3 to 5 accidental site breaks per year.
Client site handoffs. Create a custom Editor-level role with specific capabilities stripped out. Remove edit_theme_options and manage_options so the client can manage content without breaking the design you spent 40 hours building.
Membership or LMS sites. Plugins like MemberPress and LearnDash create custom roles (e.g., “Student” or “Member”) to gate content access. These roles extend the default system with capabilities specific to course enrollment or subscription tiers.
Why It Matters
Roles are your first line of defense against human error and unauthorized access. The principle of least privilege applies directly: every user should have exactly the permissions they need and nothing more.
From a security standpoint, 43% of WordPress breaches involve compromised user accounts according to Sucuri’s 2024 annual report. If a compromised account only has Subscriber-level access, the damage is minimal. If it has Administrator access, your entire site is exposed.
From a business standpoint, proper role assignment saves real money. One client store we audited had given all 12 employees Administrator access. Within six months, someone had deactivated the caching plugin, deleted a shipping zone, and changed the permalink structure. That cost roughly $2,800 in lost sales and developer time to diagnose. Fixing the roles took 15 minutes.
Use the Members plugin or the User Role Editor plugin to manage roles through a visual interface. For WooCommerce stores, review your role assignments quarterly as your team changes.
Related terms: Capability, Multisite, wp-config.php, Plugin
Related reading
- plugin
- WooCommerce Review 2026: The Real Cost of Free Ecommerce on WordPress
- WooCommerce vs Shopify (2026): Which E-Commerce Platform to Choose?
- theme
- WordPress.com vs WordPress.org (2026): Which Should You Use?
- Wordfence vs Sucuri (2026): Best WordPress Security Plugin?
- multisite
- dashboard
- permalink