How to Set and Limit Permissions for WordPress Blog Authors
There are two kinds of WordPress blogs: those with a single author and those with multiple authors.
Blogs with a single author don't need to worry about anything I will write in this post unless you're planning to expand into a multi-author blog in the future. Why not check out something else in my blogging category for now? I'm sure I have tips to help you with something you need.
Blogs with multiple authors also come in two forms.
1. The first is blogs where multiple authors contribute, but all of the content on a single-author blog is typically published by the first account, an Admin account. This example is the most common among novice bloggers and bloggers who want to use ghostwriters. I usually recommend to at least rename the admin account (like how mine is James Parsons), but that's not really what today's post is about.
2. The second kind is blogs that set each author to have a unique author role with limited permissions. For example, if you check out the Ahrefs blog, you'll find different authors' posts with their bylines and profile pages. See:
Blogs generally use this method with multiple contributing authors who are not ghostwriters and, thus, get credit for their work. I've also seen it used by blogs that use ghostwriters and create fake accounts for multiple people to make the blog seem more significant. Sites like Ahrefs probably don't do this, but small websites with very little traffic but multiple authors might. I'm not here to judge the practice, though, only to mention it.
The primary conflict with multi-author blogs comes within the WordPress dashboard. If you create an admin account for a new writer and give them access, they have, well, access. The default WordPress account uses the admin role, and that means the author will have access to everything from theme and plugin information to admin controls. They could even delete your account, add new plugins or remove plugins, delete or edit posts or pages that weren't created by them, or even change your source code.
That can be fine if you're a small blog with a close-knit team and you trust your authors implicitly. For most businesses, though, it's a bad idea, and all sorts of things can go wrong!
- If a writer leaves, you need to disable their access so they can't do things like poaching keywords on their way out.
- If you fire an author, you need to make sure they can't do damage on the way out.
- Your authors need discipline and training to ensure that they don't mess with or break anything in the admin console they shouldn't touch.
- Accounts can get compromised or hacked, and accounts with elevated permissions could end up in the hands of an attacker without your writer's knowledge.
These and similar issues can crop up. In a way, you can think of it as similar to a closed facility with security, like a government building or a military base. The general public doesn't have access to more than a few facilities if any. Low-level workers have access to the least secured areas, just enough to do their jobs and nothing more. Only people with higher clearance get access to the deeper parts of the facility.
You don't want to give someone access to stuff they shouldn't have. Even if they aren't malicious about it, ignorance can damage a site, and if their account gets compromised, you don't want hackers to have access that could cause irreparable damage.
The answer to this problem is not unheard of. It's not even uncommon. It's called user access controls, and it's part of role management in pretty much every business platform ever made for teams. WordPress is no exception. So, how can you do it?
30 Second Summary
You can manage WordPress blogs with multiple authors in two main ways. In the first approach, all content goes with a single admin account. The second way gives each author their own account with specific permissions. You'll want to avoid giving admin access to writers since they could damage your site, delete content or cause problems if they leave. Instead, you should use WordPress's built-in user roles or a plugin like User Role Editor to control what each author can do. When setting up authors, you can give everyone the same role or create custom roles based on their needs. This helps keep your site secure while letting writers do their jobs.
Default WordPress User Roles
Both WordPress.com and WordPress.org come with user role support out of the box. It's not ideal for managing a large site with many people working on it, but it's okay for smaller websites that are dipping their toes into the world of teams.
WordPress has six roles by default. They are:
- Super Admin. These are the site owners, the people with complete and total control over everything on the site. They have every capability, and then some. They are also the only user able to manage linked websites as part of a multisite. You will only see this role if you have Multisite mode enabled.
- Admin. These are the same as Super Admins in that they have total control over everything on the site. They can change themes, update site information, alter settings, publish or remove content, and everything else. Unlike Super Admins, they are limited to just one site.
- Editor. These are accounts with control over the site content but not infrastructure. They can publish, edit, and remove content, manage comments, and more. However, they cannot do things to the site itself, like changing the theme or settings.
- Author. These are accounts with controls over publishing and editing content, but only their content. They cannot change the content of other authors the way Editors can.
- Contributor. These author accounts can write and edit content but cannot hit the "publish" button on it. That requires review and approval by an Editor or higher account.
- Publisher. These are highly-limited accounts that can't do much of anything beyond managing their account settings.
The trick here is that the first WordPress user that is created is, by default, an Admin account. Since your account is an administrator, that means that if you want to add a new author, you need to specifically choose the contributor/author/editor role for them as appropriate. Otherwise, you give them way more access than they should have. This situation can be a big problem if you're prone to oversights. It's always better to create new accounts than to share access to your administrator account.
Additionally, these roles are flexible. You can change every role by using PHP functions add_cap() and remove_cap() to add or remove specific capabilities. Capabilities are things like edit_themes, edit_plugins, manage_options, moderate_comments, upload_files, and more. You can see the complete list here.
Do you see the problem here? I do:
We create blog content that converts - not just for ourselves, but for our clients, too.
We pick blog topics like hedge funds pick stocks. Then, we create articles that are 10x better to earn the top spot.
Content marketing has two ingredients - content and marketing. We've earned our black belts in both.
Using the default roles isn't necessarily bad, but sometimes you want to add or remove functionality from a role to suit the needs of an individual working for you. It's tricky and annoying to get right. Moreover, since it involves using custom PHP, you need to do it right, or it could break your site.
If WordPress updates significantly in future releases, this code may also break and require updating.
Enter User Role Editor
The User Role Editor plugin is probably the #1 go-to role management WordPress plugin. It's active on over 700,000 WordPress sites, and it gives you most of what you would want to use it to do for free. Of course, it also has paid versions with additional features, some designed for agencies or multisite platforms, for varying pricing tiers.
What does it do? It takes all of the add/remove roles and add/remove capabilities from roles functionality and gives it a shiny friendly interface. Instead of mucking about with PHP, you choose a role, select checkboxes, and you're good to go.
The other feature that I consider near-essential that User Role Editor has is changing the default for a new account. You can choose to make brand new accounts default to, say, contributor, subscriber, or even a custom role with specific permissions. That way, you never run the risk of a new user having more permissions than they should, which keeps your WordPress content and plugins safe from tampering.
Many users are happy using the default user roles, but creating custom user roles isn't too difficult once you get the hang of it.
Alternatives to User Role Editor
If (for some reason) you don't want to use the most popular role editor plugin, there are other alternatives you can try.
Here are a few:
- User Role – User Role is simple, lightweight, easy to manage, and free of cruft. The biggest downside is that you need the pro version to create more than a handful of custom roles, but that won't be a problem for most smaller sites.
- Members – This is a powerful plugin that combines user roles with user membership options. It lets you add multiple roles to one user, and it works with the membership plugin MemberPress (if you use that).
- PublishPress Capabilities – This is a nuanced user role editor that also gives you the ability to hide even specific features of the Gutenberg or basic editors from particular roles if you want to limit what kind of capabilities authors have.
There are other plugins out there as well, but you get the idea. Most of them do pretty much the same thing, so it's just a matter of thinking about additional features you want to use and finding a plugin to manage them. I wouldn't get a plugin with extra features you don't plan to use, though; for example, I don't bother with membership sites, so having Members wouldn't be ideal for me.
When running a multi-author blog, you have a few options for how you want to do it. I've seen some sites create a central Author account and tell everyone to use it, but that's not much different from just creating an Admin account and having everyone give you their content.
1. The most common option is to give everyone an account with all users using the same Author role. They have precisely the permissions you want them to have, and you can remove permissions from the role if you find that they're being abused. For example, if you find that your authors are all ignoring comments (or approving spam comments they don't realize are spam), you can remove comment moderation from the role and do it yourself.
2. Another option is to create a unique role for each author. You can customize their permissions according to their place in your hierarchy. You might have an author who can do just about anything and another author who only has publication abilities and then create a new editor or admin account for oversight. This method allows you to customize a user's capabilities without finding the role that best matches what they should be able to do. The biggest problem is that it creates a massive pile of roles you have to keep track of and manage, which can get tedious and challenging.
I've seen that option used well for freelance-to-author hires. You pick up a freelancer and give them a contributor role to write and save a draft, and you can now restrict author privileges and restrict categories. For example, you can set it so that they can't publish content themselves without review, they can only edit their own posts, edit their user profile, and they can't change any of your core WordPress functionality. Once they've proven themselves, you gradually give them more power to create new posts, publish posts under specific categories, access the media library, and use other parts of the WordPress admin area. It can work out.
3. Another option I've seen (but don't recommend) is to create a specific user for a guest posting role. This kind of role would allow a guest contributor to step in and manage their content directly with an account on your system, rather than the usual process of sending you the content to be published manually. Guest contributions are not unusual, but they usually don't need dedicated access to your site. Guest posts should always be heavily edited and reviewed anyway to prevent damage to your reputation with search engines.
4. Finally, creating an Agency role is something I always do for my clients, or rather, advise that they do for me. I need access to their sites to handle their content marketing, but I neither need nor want to edit core site information like theme, site name, or other data. I would, however, like to have access to adding and changing plugins (for SEO purposes) and optimizing site speed. I do more than just surface-level content marketing, after all, and an Agency role that pares down unnecessary access but still gives me more than an author/editor role would be essential.
How Do You Manage Roles?
Do you run a site with multiple authors or contributors? If so, what do you do to manage roles? I'm curious what kinds of options other people have come up with. My use cases are bred out of my experience and what I find most convenient to use while maximizing security for myself and my clients. Let me know what you've done to your sites below!
November 30, 2021
I have just been thinking about expanding my site by recruiting more authors but I wasn't too familiar with the technicalities, permissions, and whatnots. I came across this at a perfect time! I'll be sure to keep consulting this post as I work on the expansion.
December 01, 2021
Hey Beth,
Congrats on your blog growth! I'm glad my guide helped you.
It certainly gets more difficult to manage quality and consistency once you start bringing multiple authors into the picture.
It sounds like you have the right idea. Good luck!
September 26, 2024
Did you have any issues?
October 03, 2024
Hey Tarsha!
You didn't have any serious issues with setting permissions right? Sometimes you might kind of need a plugin to make things easier. You'll find that different plugins give you specific controls to really fine-tune access which can definitely be super helpful for handling different author needs. This might be a real lifesaver if you're working with a big team!
Do you have multiple authors on your blog? 😊
I'm happy to help if you have more questions. Just reach out anytime!
May 29, 2022
Thanks, I needed this!
June 03, 2022
Thanks, Jo! You're welcome.
July 14, 2022
Hey, James, just wanted to let you know that I started blogging earlier this year and your stuff has always been a huge help to me so far. Thank you and keep up the good work!
July 21, 2022
Hey Peter, that really means a lot! Thank you for sticking around and reading my blog posts, it's readers like you that keep me going. Cheers 🙂
October 01, 2024
I always end up making unique roles for every author. Sure, it's more work, but it helps me keep things under control. One time, an author accidentally deleted someone else's content. Creating custom roles really helped prevent that from happening again.
Cheers, Georgine
October 08, 2024
Hey there Georgine!
You're so right - custom roles are a great way to keep things under control! It can be pretty difficult when authors accidentally interfere with each other's work so your strategy sounds spot on! 🎉 You might want to check out some plugins for custom roles too; they can really save you some time.
By the way I'm curious about how your authors feel about having unique roles. That idea sounds interesting!
If you ever need more tips or advice feel free to give me a shout!
October 09, 2024
i've often thought about how those plugins work for custom roles. do you have any favorites?
October 10, 2024
Hey Rudolf!
The User Role Editor is definitely a solid choice for helping you manage custom roles on your site. Many clients really appreciate its flexibility when it comes to managing all of the permissions completely.
Try it out and feel free to share your thoughts on it! If you have any more questions I'm always here and happy to help. 😊
October 21, 2024
I've always wondered about user experience with these plugins. Did it meet your needs, or is it still changing?
October 31, 2024
Hey Jess!
I've noticed that user experience with these plugins can be really different for people. For my clients being able to customize is super important because their needs usually change over time.
Many plugins are updated often which is great for making sure security improves and new features are added. It's definitely a good idea to watch those updates.
Are there any specific features that you are looking for? I'm here to help you out!
😊