How Many People Have Keys to Your House?

Welcome to our guide to WordPress & WooCommerce user roles and security.

WordPress User Roles and Permissions

We’ll go right to the source for the user roles & permissions when you have a WordPress website.

WordPress uses roles and permissions to allow the website owner the ability to control who can do what.

WordPress has 6 pre-defined user roles.

  • Super Admin
  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

SUPER ADMIN is somebody with access to the site network administration features and all other features. They have the ability to:

  • create sites
  • delete sites
  • manage the network (on a multi-site install)
  • manage the websites within the network
  • manage the network users
  • manage the network plugins
  • manage the network themes
  • manage the network options
  • upgrade the network
  • setup the network
  • in the case of a single WordPress site installation, Administrators are, in effect, Super Admins.

ADMINISTRATOR (ADMIN) is somebody who has access to all of the administrative features within a single site. They have the ability to:

  • activate plugins
  • delete others’ pages & posts
  • delete pages & posts
  • delete private pages & posts
  • delete published pages & posts
  • edit the dashboard
  • edit others’ pages & posts
  • edit private pages & posts
  • edit published pages & posts
  • edit theme options
  • export
  • import
  • list users
  • manage categories, links and options
  • moderate comments
  • promote users
  • publish pages & posts
  • read private pages & posts
  • create, edit, read and delete reusable blocks
  • remove users
  • switch themes
  • upload files
  • customize
  • delete the site
  • update the core, plugins themes
  • install plugins and themes
  • delete plugins and themes
  • edit plugins, themes, files and users
  • add, create and delete users
  • use unfiltered HTML

EDITOR is somebody who can publish and manage posts, including posts of other users. They can:

  • delete others’ pages & posts
  • delete pages & posts
  • delete private pages & posts
  • delete published pages & posts
  • create, edit and delete reusable blocks
  • edit others’ pages & posts
  • edit private pages & posts
  • edit published pages & posts
  • manage categories and links
  • moderate comments
  • publish pages & posts
  • read private pages & posts
  • unfiltered HTML
  • upload files

AUTHOR is somebody who can publish and manage only their posts. They can:

  • delete posts
  • delete published posts
  • edit posts
  • edit published posts
  • read
  • upload files
  • create, read, edit and delete their own reusable blocks

CONTRIBUTOR is somebody who can write and mange their own posts, but cannot publish them (make them live). They can:

  • delete and edit posts
  • read
  • read reusable blocks

SUBSCRIBER is somebody who can only manage their profile. They can:

  • read

This assumes that there is not a plugin for “user role editor”; then, each user can have a customized role with customized functionality and permissions.

When you add WooCommerce to the mix

When WooCommerce is installed within the WordPress instance, you get a couple of additional roles & capabilities.

  • Shop Manager
  • Customer

SHOP MANAGER has the ability to run the operations side of the WooCommerce store without the ability to edit back-end functionality like files and code. They also have the ability to manage all settings within WooCommerce, create, edit and delete products and access to WooCommerce reports and analytics.

CUSTOMER is just that – a customer.  They can create an account, edit their own account view past, current or subscription renewals.

WordPress & WooCommerce Security

A few tips and topics of discussion:

  • Go through periodic role reviews – especially Administrators.
  • Only provide users with the access they NEED.
  • Limit the number of Administrators. Some vendors might request this level of access, but double-check to make sure they actually need it.
  • Enable 2FA (two factor authentication).
  • Create unique user IDs for each and every person having access to the website.
  • Use strong passwords
  • Perform regularly scheduled backups
  • Never share login credentials – NEVER!
  • Consider installing Audit Log, or some other plugin to track logins, logouts, activity, etc. Be sure this plugin keeps logs of user activity.
  • Use a cloud-based Web Application Firewall (WAF).
  • Consider WordFence, or another type of WordPress firewall
  • Monitor IP addresses and unusual activity.