WPBeginner - WordPress Tutorials for Beginners

Beginner's Guide for WordPress / Start your WordPress Blog in minutes

How to Add or Remove Capabilities to User Roles in WordPress

Last updated on by Editorial Staff | Reader DisclosureDisclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

Shares 215 Share Facebook Messenger WhatsApp

Do you want to add or remove capabilities to user roles in WordPress?

WordPress comes with a simple but powerful user management system. Each user has capabilities based on the roles they are assigned.

In this article, we’ll show you how to modify user roles in WordPress by adding or removing capabilities from user roles.

Customing user role permissions in WordPress

Why Add or Remove User Role Capabilities in WordPress

WordPress comes with a built-in user management system and some predefined user roles and permissions.

As an Administrator, you have the ability to perform any action on your WordPress website. For instance, you can add or remove new users, install plugins and themes, delete content, and more.

If you run a multi-author WordPress blog, then you can add other users with Editor, Author, or Contributor user roles. This gives them user role permissions to add new content, but they cannot do administrative tasks.

WordPress also comes with a Subscriber role so users can log in to your site and manage their profiles.

Users with different roles on a WordPress website

Similarly, WordPress plugins can also create user roles with custom permissions. For example, eCommerce plugins can create a user role for customers with specific custom permissions, or a membership plugin can create its own custom user roles for members.

But what if you wanted to give a user role certain extra permissions or take away some existing permissions?

For instance, you may want to take away publishing permission from the Author user role, or allow Authors to edit other user’s blog posts.

What if you wanted to create a totally custom user role with limited capabilities?

That being said, let’s take a look at how to easily modify user role capabilities in WordPress and create custom user roles with specific permissions.

Add / Remove User Role Capabilities in WordPress

The first thing you need to do is install and activate the Members plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit the Members » Roles page and click on the Edit link below the user role that you want to modify.

Edit user role

This will open the user role editor where you will see different sections in the left column and available capabilities to the right.

Edit capabilities

You’ll notice two checkboxes to Grant or Deny the permission next to each capability.

If a user role is granted permission that you want to take away, then you need to uncheck the Grant option and check the Deny box.

For instance, if you want to prevent the Author user role from publishing blog posts, then you need to switch to the Posts section and then check the Deny box next to the ‘Publish Post’ option.

Remove capability

Similarly, you can also give additional capabilities to a user role.

For instance, let’s suppose you want to allow users with the Author user role to be able to moderate comments as well. By default, the Author user role does not give users permission to moderate comments.

To do that, you need to switch to the ‘General’ section and check the Grant box next to the Moderate Comments option.

Add capability

Don’t forget to click on the ‘Update’ button to save your changes after you are done modifying a user role.

You can now create a new user account with that particular user role and log in to make sure that your customized permissions are working as you intended.

Adding A New User Role with Custom Permissions

The plugin also allows you to create custom user roles where you can select which permissions and capabilities the role would give to the users.

Let’s suppose you have a ‘Movies’ custom post type on your website and you want some users to be able to add movie reviews there. However, you don’t want them to edit any other section.

To do this you’ll need to create a custom user role.

Simply go to Members » Add New Role page. First, you need to provide a title for the custom user role.

New custom user role

After that, you can switch to the section where you want to grant the user the capabilities. For instance, we have a section called Movies for our custom post type on our test site.

There you can give users the permissions to edit and publish content for that post type.

After that, you can review other sections too and see if you want to give users capabilities to do anything else on your site.

Once you are finished, don’t forget to click on the Add Role button to save your changes.

You can now add a new user to your website and assign them the custom user role you just created.

User with custom role

After that, you can log in with that new user account to make sure that everything is working fine. Here is what our custom user role dashboard looked like:

Custom user role dashboard

Securely Managing User Accounts in WordPress

Customizing WordPress user roles and permissions allows you to control user access to the admin area of your WordPress website.

However, it also opens up your site to hacking attempts and vulnerabilities. Following are a few things that you can do to make sure that only users with access can securely log in to your WordPress website.

1. Enforce Strong Passwords

WordPress includes a strong password generator by default, but users can skip it. You can add a password policy manager to ensure all users are using a strong password.

2. Enforce Two-Step Authentication

Two-step authentication asks users to enter a one-time code to login to their account in addition to their password. Users can generate this code via an authenticator app on their computers or phone.

For more details, see our guide on how to add two-step authentication in WordPress.

3. Install a WordPress Security Plugin

WordPress security plugins help protect your website by monitoring it for suspicious activity and login attempts. We recommend using Sucuri, which is the best WordPress security plugin on the market.

We hope this article helped you learn how to add or remove capabilities to user roles in WordPress. You may also want to see our guide on how to get a free email domain, or our comparison of the best business phone services for small business.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Popular on WPBeginner Right Now!

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit – a collection of WordPress related products and resources that every professional should have!

Download Now

Reader Interactions

29 CommentsLeave a Reply

  3. Hi, I thought users were subscribers to my newsletter. I have 7000+. Can I import them to my mailchimp?

    Reply

  4. This article is very old. Is Capability Manager Enhanced still the WP-Beginner recommended plugin for managing user roles? Thanks!

    Reply

  5. I really like this plugin.really helped me.but there is a problem.I want to show author my only one plugin setting.and in your pllugin Capability Manager Enhanced i cannot see my plugin option here.I there any solution?

    Reply

  6. Just wondering, I want my Authors to be able to create posts, and the STATUS of these posts will automatically be: Pending Review OR Draft.
    I want the posts made by Authors to be verified and approved by Editor who can publish.

    Is this possible with this app?
    If so how pls?

    Reply

  7. If a user cannot see everything in the admin menu is there a way they can use only one of the features? For instance, I’d like them to only be able to backup their website. Is there a way to add that to a role?

    Reply

  9. I would like to grant access to a subscriber ONLY to the entries of a specific gravity form on my site to read live and export but not edit the form or the settings and/ or be able to view any other backend admin areas.

    The data input into the form is needed as well as the files that will uploaded on the form submission.by the subsciber. I am trying to find a secure way to give access for a designated period of time. I have one web site and it is Not set up for multi site functions

    Please advise. Any direction would be greatly appreciated.

    Reply

  14. any chance you release or test it for 3.9.2 and higher? 3.7.1 is more than 10months old. so you nice plugin wont be used anymore if its a risk to use.

    Reply

  15. I’m the admin of a blog . I have a author also . I disabled publish for author so that i can review posts before publishing but , as author click on submit for review , i am not getting any notification to review that ? Pls Help

    Reply

  16. Dear Sirs,

    Thanks by the post!

    I have this plugin installed, is there a way to make the subscribers upload images, and see just their images?

    Now subscribers here just can edit their profile and upload images, but they can see other images of gallery too.. I think it is better to them see just their images….

    Thanks and Regards,

    Tony

    Reply

  18. How about adding and removing permissions for installed plugins and specific menu items in the left WP navigation?

    Reply

    • Hi. I am interested in finding out that as well.

      How do you give access to a new plugin/menu option eg. Calendar / staffing

      thanks

      Reply

  20. I think that Justin Tadlock’s Members is a far more comprehensive (read: useful) plugin than the one featured in this article

    Reply

    • Piet I have to agree. The Members plugin lays it all out and as an admin all you have to do is check/uncheck permission boxes. So far, so good for me.

      Reply

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Featured in

Copyright © 2009 - 2022 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.

I need help with…

Popular searches:

Starting a
Blog WordPress
SEO WordPress
Performance WordPress
Errors WordPress
Security Building an
Online Store