Chapter 19. Understanding WordPress Roles and Capabilities


  • Looking at WordPress roles and capabilities

  • Using the Role Manager plugin

WordPress has its own authentication system. It is organized in a series of permissions, called Capabilities, which are subsequently bundled into groups that are called Roles.

This chapter assesses the out-of-the-box Capabilities and Roles that WordPress provides, and presents an overview of how you might use or modify these Roles in an editorial or development workflow.


The WordPress Role and Capability system is due for an overhaul — something that seems to be on track for a WordPress 3.0 release.

Looking at WordPress Roles and Capabilities

The core of the WordPress permission and authentication system is Capabilities. The WordPress application programming interface (API) and internal permission structure that allows or disallows access to portions of the system uses Capabilities. For example, the delete_page capability is, as expected, used to determine whether an authenticated user has the permission to delete a page.

By default, the main user of a WordPress blog (usually with the username admin) is the Administrator. If you have other users, you can set their respective roles when you create their logins (see Figure 19.1), or on their user profile (see Figure 19.2). If you allow anyone to sign up for an account, you can set the default role on the General Settings page.

Figure 19.1. When creating users manually, you can designate the ...

Get WordPress® Bible now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.