Beginner's Guide for WordPress / Start your WordPress Blog in minutes

How to Add or Remove Capabilities to User Roles in WordPress

Do you want to add or remove capabilities to user roles in WordPress?

WordPress comes with a simple but powerful user management system where each user has different capabilities based on their assigned roles.

In this article, we’ll show you how to add or remove capabilities to user roles in WordPress.

Customing user role permissions in WordPress

Why Add or Remove User Role Capabilities in WordPress

WordPress comes with a built-in user management system plus some ready-made user roles and permissions.

For example, as an Admin you can perform any action on your WordPress website. This includes adding new users and authors, deleting content, installing WordPress themes, and much more.

If you run a multi-author WordPress blog, then you can add other people to your site and give them roles such as Editor, Author, or Contributor. This lets them do different things on your website, but they can’t perform administrative tasks.

Users with different roles on a WordPress website

WordPress also comes with a Subscriber role that allows users to log into your site and edit their own profile.

Some WordPress plugins add their own user roles with custom permissions. For example, eCommerce plugins may create a user role for customers, or a membership plugin might add a custom Member role to your site.

But what if you want to edit the user roles in WordPress?

You might want to make your site more secure by removing unnecessary permissions from certain roles. For example, you may want to remove publishing permission from the Author user role.

Or you might give Authors the power to edit each other’s posts by giving them extra permissions. This can reduce your workload as the site admin.

That being said, let’s take a look at how to easily modify user role capabilities and even add new user roles to your WordPress website.

Add / Remove User Role Capabilities in WordPress

The easiest way to edit user permissions in WordPress is by using the Members plugin. Using this plugin, you can change the permissions for every user role, and even create completely new roles.

The first thing you need to do is install and activate Members. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, go to the Members » Roles page to see all the different user roles on your WordPress website.

Changing the user roles and permissions in WordPress

Now, hover your mouse over the user role that you want to modify.

You can then go ahead and click on ‘Edit’ when it appears, which opens the user role editor.

Editing a user role in WordPress using Members

The left column shows all the different types of content such as reusable blocks and WooCommerce products.

Simply click on a tab and you’ll see all the permissions for that content type.

Edit capabilities

You can add or remove permissions by checking the Grant or Deny boxes.

For instance, if you want to stop Authors from publishing blog posts, then you need to select the ‘Posts’ tab in the left-hand column.

Then, just check the ‘Deny’ box next to the ‘Publish Posts’ option.

Remove capability

Similarly, you can give a user role extra permissions. For instance, let’s suppose you want Authors to be able to moderate comments.

Simply click on the ‘General’ tab and then check the ‘Grant’ box next to the ‘Moderate Comments’ option.

Add capability

To add or remove more permissions, simply follow the process described above.

When you’re happy with how the user role is set up, click ‘Update’ to save your changes.

Adding or removing permissions in WordPress

You can now repeat the process to edit the other roles on your WordPress blog.

Adding A New User Role with Custom Permissions

The Members plugin also lets you add new user roles to your website.

Let’s image you’ve created a ‘Movies’ custom post type and want to let some users submit movie reviews, without giving them access to your entire site.

To create a custom user role, simply go to Members » Add New Role.

Adding a custom user role to your website

To start, you’ll need to type in a title for the new role.

This will appear next to each user’s name in the Users » All Users page and other areas of the WordPress dashboard, so it’s a good idea to use something that helps you clearly identify the role.

Giving a custom user role a title

After that, you can start adding permissions to the new role by checking the different boxes.

When you’re happy with how the custom role is set up, click on the ‘Add Role’ button to save your changes. Now, you will be able to assign this custom role to new users.

You can also add the new role to any existing user’s account.

To do this, go to Users » All Users. Then, hover over the user that you want to modify and click on the ‘Edit’ link when it appears.

Assigning a new role to a WordPress user

Once you’ve done that, scroll to ‘Roles’ and check the box next to the role you just created.

You can assign multiple roles to the same user, as you can see in the following image.

Adding multiple roles to a user

Once you’ve finished, don’t forget to scroll to the bottom of the screen and click on ‘Update User’ to save your changes.

Securely Managing User Accounts in WordPress

By adding and removing capabilities, you can control what users can do on your website. This helps to keep your site safe, but extra users are still a vulnerability that hackers can exploit.

With that in mind, here’s some tips on how to protect your WordPress site from brute force attacks and other hacks.

1. Force Everyone to Use Strong Passwords

WordPress comes with a built-in password generator that can automatically create strong passwords for your users.

However, many people skip the password generator. That being said, it’s a good idea to force people to use a strong password generator.

For more information, see our guide on how to force strong passwords on users in WordPress.

2. Enforce Two-Step Authentication

Some hackers use automated scripts to try and guess the user’s name and password.

Two-step authentication can protect your site against automated attacks by requiring users to enter a one-time code in addition to their password.

Users typically generate this code using an authenticator app on either their computer or phone. In order to break into their account, a hacker would need access to the user’s password plus their computer or phone. This makes your site much more secure.

For more details, see our guide on how to add two-step authentication in WordPress.

3. Install a WordPress Security Plugin

WordPress security plugins help protect your website by watching for suspicious activity and login attempts. We recommend Sucuri, which is the best WordPress security plugin on the market and filters out bad traffic even before it reaches your server.

4. Install and Setup a WordPress Backup Plugin

If all else fails, then backups make it easy to restore your website and all of your user accounts. Most WordPress hosting companies offer a basic backup option, but you often need to configure, create, and maintain your site’s backups manually.

A good backup plugin will allow you to schedule automatic backups, so you have more time to concentrate on running your site and growing your business.

We recommend using UpdraftPlus. It is beginner friendly and allows you to quickly setup automatic backups and store them on remote locations including Google Drive, Amazon S3, and DropBox.

For step-by-step instructions, see our guide on how to how to backup and restore your WordPress site with UpdraftPlus.

We hope this article helped you learn how to add or remove capabilities to user roles in WordPress. You may also want to see our guide on how to install Google Analytics in WordPress, or our comparison of the best business phone services for small business.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit – a collection of WordPress related products and resources that every professional should have!

Reader Interactions

29 CommentsLeave a Reply

  1. Hi, I thought users were subscribers to my newsletter. I have 7000+. Can I import them to my mailchimp?

  2. This article is very old. Is Capability Manager Enhanced still the WP-Beginner recommended plugin for managing user roles? Thanks!

  3. I really like this plugin.really helped me.but there is a problem.I want to show author my only one plugin setting.and in your pllugin Capability Manager Enhanced i cannot see my plugin option here.I there any solution?

  4. Just wondering, I want my Authors to be able to create posts, and the STATUS of these posts will automatically be: Pending Review OR Draft.
    I want the posts made by Authors to be verified and approved by Editor who can publish.

    Is this possible with this app?
    If so how pls?

  5. If a user cannot see everything in the admin menu is there a way they can use only one of the features? For instance, I’d like them to only be able to backup their website. Is there a way to add that to a role?

  6. I would like to grant access to a subscriber ONLY to the entries of a specific gravity form on my site to read live and export but not edit the form or the settings and/ or be able to view any other backend admin areas.

    The data input into the form is needed as well as the files that will uploaded on the form submission.by the subsciber. I am trying to find a secure way to give access for a designated period of time. I have one web site and it is Not set up for multi site functions

    Please advise. Any direction would be greatly appreciated.

  7. any chance you release or test it for 3.9.2 and higher? 3.7.1 is more than 10months old. so you nice plugin wont be used anymore if its a risk to use.

  8. I’m the admin of a blog . I have a author also . I disabled publish for author so that i can review posts before publishing but , as author click on submit for review , i am not getting any notification to review that ? Pls Help

  9. Dear Sirs,

    Thanks by the post!

    I have this plugin installed, is there a way to make the subscribers upload images, and see just their images?

    Now subscribers here just can edit their profile and upload images, but they can see other images of gallery too.. I think it is better to them see just their images….

    Thanks and Regards,

    Tony

  10. How about adding and removing permissions for installed plugins and specific menu items in the left WP navigation?

    • Hi. I am interested in finding out that as well.

      How do you give access to a new plugin/menu option eg. Calendar / staffing

      thanks

  11. I think that Justin Tadlock’s Members is a far more comprehensive (read: useful) plugin than the one featured in this article

    • Piet I have to agree. The Members plugin lays it all out and as an admin all you have to do is check/uncheck permission boxes. So far, so good for me.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.