Skip to main content

Roles and Permissions

WordPress employs a streamlined role-based permission system centered around five default user roles:

  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

These roles follow a hierarchical structure where each role inherits the capabilities of the roles below it while gaining additional permissions. This carefully designed system strikes a balance between simplicity and functionality, covering the vast majority of content management scenarios without unnecessary complexity.

Unlike Drupal, which emphasises custom role creation, WordPress takes a different approach by providing core roles with well-defined responsibilities that align with common publishing workflows. This eliminates the administrative overhead of creating and managing custom roles while still offering flexibility through plugins that can modify capabilities when needed. The WordPress philosophy of "decisions, not options" applies here - the default roles provide clear boundaries and responsibilities that make site management more intuitive, reduce permission conflicts, and improve overall security by limiting unnecessary access rights.

The five default roles create a clean separation of duties that accommodates typical content creation and management processes.

Reminder

In Drupal, some websites opted to have certain sections accessible only by a specific e-group. This functionality remains supported in WordPress, as does keeping the entire website behind CERN SSO. However, when managing roles and permissions, it is always important to critically evaluate why such separation is required. WordPress follows a trust-based permission model that differs from Drupal's compartmentalised approach. Consider that:

  1. a user with editing rights to any part of your site already has the ability to add or modify content in ways that could potentially compromise your site;
  2. entrusting a user with editing rights on one section implies a level of professional responsibility that should extend across the site;
  3. instead of technical barriers, clear editorial guidelines and workflows often better address content governance concerns;
  4. WordPress's built-in revision history tracks all changes by any user, allowing for quick identification of unauthorised edits and easy content restoration; and
  5. the audit trail provided by WordPress makes all users accountable for their actions across the entire site.

Rather than creating artificial barriers between content sections, we recommend leveraging WordPress's role-based system and focusing on proper editorial governance. Please refer to Managing Access for more information on implementing appropriate access controls in WordPress.

Public Content

Visibility: Accessible to everyone (logged-in users and visitors).

Editing Permissions:

  • Administrators: Can edit all public pages/posts.
  • Editors: Can edit all public pages/posts.
  • Authors: Can edit only their own public posts.
  • Contributors: Can create and edit their own posts but cannot publish them.
  • Subscribers: Cannot create or edit any content.

Private Content

Visibility: Hidden from the public, menus, search engines, and archives; only logged-in users with specific roles can view them.

Viewing Permissions:

  • Administrators: Can view all private pages/posts.
  • Editors: Can view all private pages/posts.
  • Authors: Can view only their own private posts (not pages).
  • Contributors: Cannot view private pages/posts.
  • Subscribers: Cannot view private pages/posts.

Editing Permissions:

  • Administrators: Can edit all private pages/posts.
  • Editors: Can edit all private pages/posts.
  • Authors: Can edit only their own private posts (not pages).
  • Contributors: Cannot edit any private content.
  • Subscribers: Cannot edit any private content.

Please note that private content can be made public at any time, and vice-versa.

Password-protected Content

Visibility: Accessible to anyone with the correct password.

Please note that password-protected content will appear in menus and search results, but requires a password to view.

Viewing Permissions:

Anyone with the password can view the content, regardless of their role (including non-logged-in users).

Editing Permissions:

  • Administrators: Can edit all password-protected pages/posts.
  • Editors: Can edit all password-protected pages/posts.
  • Authors: Can edit only their own password-protected posts (not pages).
  • Contributors: Cannot edit any password-protected content.
  • Subscribers: Cannot edit any password-protected content.

As with private and public content, the password protection policy can be changed at any time.

Missing use-case?

If you have a specific use-case not covered by the above selection of roles and permissions, please submit a ticket.