If you want people to contribute articles to your WordPress website or blog, you must assign them roles that specify what they have permission to do. Go beyond the default roles available.
WordPress enables people to become members of a website or blog and when they or you create an account, they are assigned a role that defines what they are able to do. This is to protect your site from accidental or even malicious changes, like a user deleting content, changing the theme or plugins, or even removing users. They can’t do it when they are assigned a role with few permissions.
Users can be a Subscriber, Contributor, Author or Editor. Each of these roles defines what the user has permission to do on a website and they can prevent someone from seeing or using features you don’t want them to access.
Roles were briefly looked at in How to customise WordPress user roles with a plugin and How to use and customise user roles in WordPress. Here I want to go into a bit more detail about setting up roles to enable people to write for your website using Contributor and Author roles.
People can always email their article with the text and images in a zip or share an Office or GDocs file, but that involves you in a lot of work getting it into WordPress. Regular writers should have an account and write directly into WordPress.
The Subscriber role is the default that is assigned to new accounts at a WordPress website. It is the lowest of all roles with the fewest permissions. It has few uses and it cannot be used by someone wanting to write for your website or blog. They just don’t have permission.
Two roles are intended for writers and these are Contributor and Author. They have different permissions and Author has more than Contributor. However, neither of them is perfect and one has too few permissions to do the job properly and the other has too many, which is a worry and a risk. What you need to do is customize these roles so they have the permissions you want your writers to have.
Add contributors to your site
The Contributor role is useful for allowing people to write articles for your website. They may be regular writers or guest posters. You may have one or several people that write for your site and they can all be contributors. Either let a writer create their own account via the WordPress login page or go to Users and create an account for them.
- Go to Users and click their name to open the user account settings.
- Click the role, which is set to Subscriber by default.
- Select Contributor for someone who wants to write for your site.
Configure the Contributor role
WordPress provides no help or information as to what a Contributor can do on your website. To see, you need a role editor plugin and here, User Role Editor is used. There are other plugins that do a similar job, but this is the most popular.
Go to Plugins > Add New and enter ‘User Role Editor’ into the search box and install it, then activate it. Select Users > User Role Editor in the WordPress sidebar to access it.
- Select the role you want to see or change in this list: Contributor.
- Select All to see all the permissions for this role.
- Tick Granted Only to see only allowed permissions.
The edit_posts permission means that a Contributor can create and edit posts. The delete_posts permission means they can delete their posts. The read permission means they can read posts, as can subscribers and visitors to your site.
If you try this (create a test account and login yourself), you will find that a Contributor can create, edit and delete only the posts they write themselves. They cannot edit or delete anyone else’s, so your site’s content is protected from any accidental or malicious action on their part. This is the safest role to give writers.
There are no publishing permissions, so anything they write is hidden from the front end of your site and the public. Their posts become ‘pending review’ and you as admin, must publish them.
Once a post is published, a Contributor loses permission to edit or delete it. They can only do so before you publish it, such as to correct errors or perform rewrites for you. Anything published stays published and cannot be changed by a Contributor, even if they wrote it. This is to prevent any accidental or malicious changes.
The problem with a Contributor account is that writers can write an article, but they cannot add any pictures. Their posts are text-only. They can format them with headings, bullet lists, bold, italic and so on, but only text is permitted. No images.
This means extra work for you, adding images to the article before publishing it. It would be better if the Contributor could upload photos for their posts.
- Clear the Granted Only checkbox to see a list of every available permission.
- Tick the upload_files checkbox to enable image uploading.
This enables someone with the Contributor role to upload images to the media library and then insert them into their posts. Don’t forget to update and save the new permissions.
The delete_posts permission means that a Contributor can also delete any images they upload. They can only delete their own images, not ones you or anyone else uploads, so they cannot delete your site logo or images used in your site’s pages and posts or anything else in the media library.
Configure the Author WordPress role
Instead of making writers Contributors and then adding permissions, you could set them to the Author role and remove permissions. An Author has more permissions, including the ability to upload images. However, the WordPress Author role gives too many permissions, such as the ability to publish posts themselves without you ever having see them or check them.
Authors can also delete published posts and edit them, changing the contents even after they have gone live on your site. This only applies to their own posts and no-one else’s, but suppose you had a disagreement with an Author and they decided to leave, they could delete everything they had ever written for you. This is worrying and it must be prevented.
- Select the Author role in User Role Editor.
- Tick the checkbox, Granted Only.
- Clear delete_published_posts, edit_published_posts and publish_posts.
This means that posts are ‘pending’ when the Author has written them and only you as admin can publish them after you have checked they are OK. Once published, the Author cannot delete or edit their posts (or anyone else’s post). It is pretected from accidental or malicious changes.
If you look at the permissions that are left, Author now looks exactly the same as a Contributor. However, they are not the same and an Author still has more permissions, you just can’t see them.
Plugin permissions for WordPress roles
You probably have a bunch of plugins installed in your WordPress site and you don’t want writers fiddling around with them. A Contributor cannot see or access plugins, so this is useful where you do not fully trust a writer or if they are new and you don’t know them very well.
An Author can see and access plugins and this can be useful for people you trust. It is also a worry if you don’t trust them.
It completely depends on the plugin and here you can see that an Author on this site has several plugin permissions: aioseo_page_advanced_settings, aioseo_page_analysis, aioseo_page_general_settings and so on. What does this all mean?
In this case, aioseo… refers to the All In One SEO plugin. At the bottom of the WordPress post editor is a form to fill in for SEO information like the title, description, keywords, social shares and so on. The permissions checkboxes enable an Author to fill in the SEO information, which means one less task for you to do when publishing a post by a writer.
It is up to you whether you allow Authors to access plugins like this. It depends on the plugin and how much you trust your writers.
Whether a plugin shows up in the user role permissions is entirely up to the plugin. Some plugins, like All In One SEO do, but others don’t. I suggest you create an Author test account, log in and see what plugins and features you can access.
Which WordPress role is best for writers?
This is up to you. I would suggest starting writers with the modified Contributor role so they can write posts and include pictures. When you know a writer well, promote them to the modified Author role.
There is the even more powerful role of Editor and this has permission to do everything related to posts and pages. Only make a user Editor if you really trust them because you put your site’s content in their hands. An Editor has a lot of responsibility and can be useful if you have several Contributors and the Editor can check and publish their posts so you don’t have to do it.
It might be useful to create a Guest Writer account and give it the Contributor role. If someone wants to write a guest post for your site, give them the username and password for the Guest Writer account. When they have finished the post, change the password. It can then be used by the next guest poster.
WordPress account security
Always bear in mind that giving people user accounts on your website or blog reduces security, even when they only have limited roles like Contributor.
A hacker would love to have an account on your site because it makes their task easier. Permissions limit what people can do, but you should still check people out as best you can before giving them access.