If you’ve ever logged into your WordPress site and clicked on “Users” in the sidebar, you’ve probably seen a list of people with different labels next to their names – Administrator, Editor, maybe Author.
These are WordPress user roles. They’re permission levels that control what someone can and can’t do on your website.
Understanding WordPress user roles isn’t just about keeping things organised. It’s a fundamental security practice that most business owners completely overlook. Your website’s security is only as good as the weakest user account – and if you’ve people with Administrator access when they don’t need it, you’re creating unnecessary risk.
In this article, I’ll explain what each WordPress user role actually does, then we’ll talk about the security problems I see regularly when I log into existing client sites.
The five default WordPress user roles
WordPress comes with five built-in user roles. Each one has different permissions – what they can see, what they can edit, what they can change.
Administrator
What they can do: Everything. Complete control.
Administrators can install and delete plugins, add and remove users, change any site settings, delete the entire website if they want to. There’s no part of your WordPress site an Administrator can’t access or modify.
When to use it: Your business owner, and maybe one other highly trusted person who needs full access. That’s it.
Most business websites should have one or two Administrator accounts maximum. If you’ve got five people with admin access, you’ve got a problem.
Editor
What they can do: Publish and manage all content – posts, pages, media files. Editors can create, edit, publish and delete any content on your site, whether they created it or someone else did.
What they can’t do: Install or delete plugins, manage users, change site settings, modify themes.
When to use it: Staff members who manage your website content regularly. Marketing coordinators, content managers, anyone who needs to update pages and publish blog posts.
For most businesses, Editor is the right level for anyone managing day-to-day content. They can do their job without having access to site-critical settings.
Author
What they can do: Write, edit, publish and delete their own posts. Authors can also upload images and files to use in their own content.
What they can’t do: Edit other people’s posts, manage pages, access site settings, or touch anything created by someone else.
When to use it: Multiple people contributing blog content who don’t need to see or edit each other’s work.
This role is less common on business websites unless you have several people writing blog posts independently.
Contributor
What they can do: Write posts and submit them for review.
What they can’t do: Publish their own posts, upload files, edit published content, or really do much of anything except draft content and submit it.
When to use it: Guest writers, occasional contributors, or anyone whose content needs approval before it goes live.
Again, not commonly needed for most business websites, but useful if you want content oversight.
Subscriber
What they can do: Log in and manage their own profile. That’s it.
What they can’t do: Create, edit or publish any content. Can’t see the WordPress dashboard beyond their profile page.
When to use it: Membership sites, private content areas where people need accounts to access restricted content.
For most business websites: You don’t need this role at all. If your site isn’t a membership platform or community site, you probably won’t use Subscriber accounts.
The security problem: unneeded Administrators
Here’s what I see almost every time I log into an existing client’s WordPress site: three, four, sometimes five Administrator accounts.
When I ask about them, the response is usually: “Oh, I think that was our old web guy,” or “That might be from when Sarah worked here – she left two years ago,” or “I have no idea who that is.”
This is a massive security risk that most business owners don’t think about.
Your website is only as secure as the weakest user account. It doesn’t matter how strong your password is, how often you update WordPress, or how good your security set up or plugin is if someone who shouldn’t have access anymore can still log in as an Administrator.
Why This Happens
It’s not malicious. It’s just careless.
Someone builds your site – they get admin access. Makes sense.
Your marketing person needs to update a page – they get admin access because it’s easiest.
You hire a contractor to fix something – they get admin access because you don’t know what else to give them.
A staff member leaves – nobody thinks to delete their account.
Over time, you end up with multiple Administrator accounts, most of which belong to people who don’t need that level of access or shouldn’t have access at all anymore.
The Risk
Every one of those accounts is a potential way in for someone who shouldn’t be there.
- Former staff members who still have access years later
- Previous web developers you’re not working with anymore
- Contractors who completed one job last year and never logged in again
- Accounts using weak passwords like “BusinessName2024!”
- Shared logins where multiple people know the password
- Old accounts tied to email addresses that could be compromised
I’ve seen it all. And the scary part is, most business owners have no idea these accounts even exist until someone points it out.
The human factor… your weakest link
The truth is, your website’s security isn’t just about technology. It’s about people.
You can have the best security setup in the world, but if your marketing manager is using “Password123” or your ex-employee from 2021 still has administrator access, you’re vulnerable.
Weak passwords on administrator accounts
I see this constantly – Administrator accounts with passwords like variations of the business name, simple dictionary words, or passwords that have been shared with multiple people over time.
If someone has Administrator access and their password is easy to guess or their email gets compromised, that’s game over for your website security.
Shared logins
Multiple people sharing one admin account. It happens more than you’d think, usually because someone left and instead of creating a new account for their replacement, the new person just got the old password.
Problem is, now you don’t know who’s logging in when, and if that shared password gets out, you don’t know who to blame or how to fix it.
Old accounts nobody remembers
The dormant administrator account is the most common security problem I encounter. Someone had access once, they don’t anymore (or they’ve left the company), and the account just sits there.
Nobody thinks about it. Nobody’s actively using it. But it’s there, and if someone wanted to get into your site, that forgotten account is an easy target.
What you should actually do
Right. Let’s fix this.
1. Audit your users right now
Go into your WordPress dashboard and click “Users” in the left sidebar.
Look at every single account listed there – especially anyone with “Administrator” level access
Ask yourself:
- Do they still work here?
- Do they still need access?
- Do they actually need Administrator level, or would Editor be fine?
- When was the last time they logged in?
If the answer to any of these is “I don’t know” or “probably not” – that account needs attention.
2. Delete old accounts
Anyone who doesn’t need access anymore? Delete their account.
Important note for WordPress: When you delete a user, WordPress will ask what to do with their content. Always choose “Attribute all content to” and select yourself or another current user.
Do not choose “Delete all content” unless you’re absolutely certain they haven’t created anything you want to keep. I’ve seen businesses accidentally lose blog posts, page content, and custom templates by making this mistake.
3. Downgrade access where possible
Look at the people who do still need access. Do they really need Administrator?
If someone’s job is updating pages and managing blog posts, they need Editor access. Not Administrator.
The principle is simple: give people the minimum access level they need to do their job. Nothing more.
4. Set up properly going forward
When you hire a web developer or contractor:
- Ask them what access level they actually need
- Give them only that level
- Remove their access when the project is done
When staff leave:
- Delete their account immediately
- Don’t let it sit there “just in case”
Regular reviews:
- Check your Users list every 6-12 months
- Clean up anything that shouldn’t be there
- Update access levels as roles change
5. Improve password security
Everyone with Administrator or Editor access should be using strong, unique passwords. Not variations of your business name, not simple words, not passwords they use for other things.
If your hosting or security setup supports two-factor authentication, enable it for all admin accounts.
The bottom line
Understanding WordPress user roles isn’t complicated, but it matters.
Most business websites should have one, maybe two Administrator accounts. Everyone else managing content should be an Editor or Author at most. And if someone doesn’t need access anymore – for any reason – delete their account.
Your website’s security depends on this. It’s not about fancy plugins or expensive security services. It’s about basic access control and not giving more people more access than they actually need.
Go check your Users section today. I wouldn’t be surprised if you find at least one account that shouldn’t be there.
If you need help auditing your WordPress site or cleaning up access properly, get in touch. This is exactly the kind of thing I help business owners fix and keep the site safe and secure.
