Open Ticket 
+373 79 600002 
Telegram Live Chat 
F.A.Q 
English
Русский 
Română 
Deutsch 
Français 
Türkçe 
Español 
Português 
Українська 
български 
Polski 
Indonesia 
中文 (中国) 
AdministrationHow to Add New Users to WordPress: A Complete Guide to Roles, Permissions, and User Management
WordPress user management is one of the most consequential administrative tasks on any multi-author or team-driven site. Adding a new user incorrectly — wrong role, weak password policy, no email verification — can expose your site to privilege escalation, content sabotage, or unauthorized plugin installations. This guide walks through every step of the process with the technical precision that separates a well-governed WordPress installation from a vulnerable one.
Direct answer: To add a new user in WordPress, navigate to Users > Add New in your admin dashboard, complete the username, email, and password fields, assign a role from the built-in role hierarchy, and click Add New User. The user receives a notification email if that option is checked. The entire process takes under two minutes — but choosing the correct role and enforcing a strong credential policy requires deliberate judgment.
Why User Management Architecture Matters
WordPress ships with a role-based access control (RBAC) model. Every capability on the platform — publishing posts, installing plugins, managing options — is a discrete permission flag. Roles are simply named bundles of those capability flags. When you assign a role to a user, you are granting or denying dozens of individual capabilities simultaneously.
This matters operationally because:
- Over-privileged users are the leading cause of accidental or malicious site-breaking changes.
- Under-privileged users create workflow bottlenecks, forcing administrators to manually publish every piece of content.
- Orphaned accounts — users who no longer need access — are a persistent attack surface, especially on shared environments.
If your WordPress site runs on a VPS Hosting environment, you have the additional responsibility of aligning WordPress-level user permissions with server-level access controls. A WordPress Administrator role does not grant SSH or database access, but an attacker who compromises an Administrator account can upload a malicious plugin that does.
Step 1: Access the WordPress Admin Dashboard
Navigate to your site's login page:
https://yourdomain.com/wp-admin/Authenticate with your administrator credentials. If you have two-factor authentication (2FA) enabled via a plugin such as Wordfence or Google Authenticator, complete that challenge before proceeding.
Security note: If you are managing WordPress on a server you control, consider restricting /wp-admin/ access by IP address at the web server level. On Nginx this is a simple allow/deny block; on Apache, an .htaccess directive. This is a defense-in-depth measure that operates entirely outside WordPress's own authentication layer.
Step 2: Navigate to Users > Add New
In the left-hand navigation panel, hover over Users. The flyout submenu exposes two options: All Users and Add New. Click Add New.
You can also reach this screen directly via:
https://yourdomain.com/wp-admin/user-new.phpBookmarking this URL is useful for site administrators who add users frequently.
Step 3: Complete the New User Form
The Add New User form contains several fields. Some are mandatory; others are optional but operationally significant.
Username
The user_login field stored in wp_users. This value is permanent — WordPress provides no native UI to rename a user after creation. Choose a username that:
- Does not expose the user's role (avoid
admin,editor1,webmaster). - Is not identical to the site's primary admin account username, which is a common brute-force target.
- Follows a consistent internal naming convention (e.g.,
firstname.lastnameorf.lastname).
If you later need to rename a user, you must either use a plugin (Username Changer) or execute a direct database query:
UPDATE wp_users SET user_login = 'new_username' WHERE user_login = 'old_username';Email Address
WordPress sends the welcome notification and all system emails to this address. It also serves as the account recovery mechanism. Ensure the address is:
- A deliverable mailbox the user actively monitors.
- Unique across your
wp_userstable — WordPress enforces this at the application level.
If your organization runs its own mail infrastructure, consider pairing WordPress with a dedicated Email Hosting solution to ensure reliable transactional email delivery and avoid welcome messages landing in spam.
First Name, Last Name, Website
These fields populate wp_usermeta and are entirely optional. They appear in author bylines and profile pages. For internal team members, populating them improves audit trail readability in the All Users view.
Password
WordPress auto-generates a cryptographically strong password using wp_generate_password(). The default entropy is high. You have two choices:
- Accept the generated password and let the welcome email deliver it to the user, who should change it on first login.
- Set a custom password by clicking Show Password and typing a replacement. If the custom password is weaker than WordPress's strength heuristic, a confirmation checkbox appears warning you explicitly.
Do not set trivial passwords for new accounts, even temporarily. There is no "temporary password" enforcement in core WordPress — a weak password set at creation remains weak until the user changes it. For enforced password policies, use a plugin like Password Policy Manager or implement server-side rules.
Send User Notification
When checked, WordPress dispatches a new_user_notification email containing the login URL and the generated password (or a password reset link, depending on your WordPress version and configuration). Leave this checked unless you are provisioning accounts in bulk and plan to communicate credentials through a secure out-of-band channel.
Step 4: Assign the Correct User Role
This is the highest-stakes decision in the entire process. WordPress's five built-in roles form a strict capability hierarchy.
WordPress User Role Comparison Table
| Role | Publish Own Posts | Edit Others' Posts | Manage Plugins/Themes | Manage Users | Access Settings |
|---|---|---|---|---|---|
| Administrator | Yes | Yes | Yes | Yes | Yes |
| Editor | Yes | Yes | No | No | No |
| Author | Yes | No | No | No | No |
| Contributor | No (draft only) | No | No | No | No |
| Subscriber | No | No | No | No | No |
Role Definitions and Practical Assignment Guidelines
Administrator
Holds the manage_options, install_plugins, edit_themes, delete_users, and approximately 60 additional capability flags. Granting this role to anyone other than a trusted technical owner is a significant security risk. On a production site, the number of Administrator accounts should be the minimum necessary — typically one or two.
Editor
The correct role for content managers, managing editors, and senior writers who need cross-author oversight. Editors can publish, edit, and delete any post or page regardless of authorship. They cannot touch plugins, themes, or site settings. This role strikes a practical balance between editorial authority and system security.
Author
Appropriate for regular contributors who own their content end-to-end. Authors can upload media, publish their own posts, and delete their own published content. They have no visibility into other users' drafts. A key nuance: Authors can delete their own published posts, which is sometimes surprising to site owners who expect published content to be immutable.
Contributor
The safest role for new or untrusted writers. Contributors can draft posts and submit them for review, but the Publish button is replaced with a Submit for Review button. They cannot upload images directly to the Media Library — a significant workflow friction point that many site owners overlook. If your editorial workflow depends on image-rich content, Contributors will need an Editor to handle media uploads, or you will need a plugin that extends their media capabilities.
Subscriber
Grants access to the WordPress dashboard solely for profile management. Used for membership sites, gated content platforms, or forums where registration is required to comment or access restricted pages. Subscribers generate no content and have no administrative surface area.
Custom Roles and Capability Extensions
The five built-in roles cover most use cases, but complex sites often require granular customization. The add_role() and add_cap() functions in the WordPress API allow developers to create custom roles or augment existing ones programmatically. Plugins like Members or User Role Editor expose this functionality through a UI without requiring code.
Example of adding a custom capability to the Editor role via functions.php:
function add_custom_editor_caps() {
$role = get_role( 'editor' );
$role->add_cap( 'manage_categories' );
}
add_action( 'admin_init', 'add_custom_editor_caps' );Step 5: Submit the Form
Once all fields are complete and the role is selected, click the Add New User button at the bottom of the form. WordPress will:
- Insert a new row into
wp_users. - Populate corresponding metadata in
wp_usermeta(role, first name, last name, etc.). - Dispatch the notification email if that option was checked.
- Redirect you to the All Users screen with a success notice.
If you receive an error stating the username or email already exists, WordPress found a collision in wp_users. Use a unique identifier or query the database to investigate duplicate accounts.
Step 6: Verify the Welcome Email and First Login
After account creation, confirm the user received the notification email. Common failure points include:
- WordPress sending from a
wordpress@yourdomain.comaddress that has no valid SPF or DKIM record, causing the message to be filtered as spam. - Shared hosting environments where the PHP
mail()function is throttled or blocked.
The robust fix is to configure WordPress to send email via SMTP using an authenticated relay. Install a plugin like WP Mail SMTP and connect it to a transactional email service (SendGrid, Mailgun, Postmark) or your own SMTP server. If your hosting environment supports it, pairing this with a proper SSL Certificates setup ensures the SMTP connection is encrypted and the domain's identity is verifiable.
Managing Existing Users
Navigate to Users > All Users for a full account inventory. This screen supports:
- Bulk role changes via the dropdown above the user list — select multiple users, choose a new role, and apply.
- Individual profile editing — click a username to open the full profile editor, where you can change the role, reset the password, or update contact information.
- Account deletion — WordPress prompts you to either delete the user's content or reassign it to another user. Always choose Attribute all content to and select an active account. Deleting content on user removal is irreversible.
- Filtering by role — the role links at the top of the table (All | Administrator | Editor | Author | Contributor | Subscriber) let you audit each tier independently.
Auditing and Hardening User Accounts
Beyond the core UI, a production WordPress installation should implement the following:
- Enforce 2FA for all Administrator and Editor accounts using a plugin like WP 2FA or Wordfence Login Security.
- Log user activity with a plugin like WP Activity Log to maintain an audit trail of logins, role changes, and content modifications.
- Disable the default
adminusername if it exists. Rename it via the database query shown earlier or create a new Administrator account and delete theadminaccount. - Set session expiration using the
auth_cookie_expirationfilter to limit how long an authenticated session persists without re-authentication. - Review user accounts quarterly. Dormant accounts — especially those with Author or Editor roles — should be deactivated or deleted.
If your WordPress installation runs on a Dedicated Server, you have full control over the underlying MySQL instance. Periodically query wp_users and wp_usermeta directly to cross-reference active WordPress accounts against your expected team roster:
SELECT u.user_login, u.user_email, m.meta_value AS role
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
ORDER BY u.user_registered DESC;This query surfaces every account and its assigned role, making it straightforward to identify orphaned or over-privileged accounts that the WordPress UI might obscure in a large user list.
Adding Users Programmatically
For bulk provisioning — onboarding a team of 20 writers at once, for example — the WordPress admin UI is impractical. Use wp_create_user() or wp_insert_user() via WP-CLI:
wp user create jane.doe jane.doe@example.com --role=author --send-emailWP-CLI's user create command accepts all the same fields as the UI form and supports --porcelain output for scripting. To bulk-import from a CSV:
wp user import-csv /path/to/users.csv --send-emailThis approach is especially efficient on VPS with cPanel environments where WP-CLI is pre-installed and accessible via the terminal.
Technical Decision Matrix: Choosing the Right Role
Use this matrix when you are unsure which role to assign:
| User Type | Recommended Role | Key Reason |
|---|---|---|
| Co-owner / technical partner | Administrator | Needs full site control |
| Managing editor / content director | Editor | Cross-author oversight without system access |
| Staff writer (experienced) | Author | Full ownership of own content |
| Freelance / new contributor | Contributor | Drafts require editorial approval before publishing |
| Registered member / commenter | Subscriber | No content creation, profile only |
| Developer (temporary access) | Administrator (time-limited) | Needs plugin/theme access; revoke after project |
| SEO specialist | Editor or custom role | Needs to edit metadata across posts; no system access |
Practical Checklist Before Adding Any New User
- Confirm the username follows your naming convention and does not expose role information.
- Verify the email address is deliverable and belongs to the intended person.
- Select the minimum necessary role — do not default to Administrator out of convenience.
- Ensure your WordPress installation sends email reliably (SMTP configured, SPF/DKIM records set).
- If the user is an Administrator, enforce 2FA before granting access to production.
- Schedule a review date to audit whether the account is still needed.
- On server-managed installations, confirm that WordPress-level access does not inadvertently overlap with server-level credentials.
FAQ
Can I change a user's role after the account has been created?
Yes. Go to Users > All Users, click the user's name, scroll to the Role dropdown, select the new role, and click Update User. The change takes effect immediately on the next page load for that user.
What happens to a user's content if I delete their account?
WordPress prompts you to either permanently delete all content associated with that user or reassign it to another existing user. Reassignment is almost always the correct choice. Deletion is irreversible and cannot be undone through the UI.
Why is the "Add New User" option missing from my Users menu?
This typically means your account does not have the create_users capability, which is exclusive to the Administrator role by default. If you are logged in as an Administrator and still cannot see it, a plugin or a functions.php customization may have removed the capability. Check with current_user_can( 'create_users' ) in a test snippet or inspect the role's capabilities via the database.
Can a Contributor upload images to their posts?
Not by default. The upload_files capability is not included in the Contributor role. You can grant it individually using $role->add_cap( 'upload_files' ) in your theme's functions.php, or use a role management plugin. Be aware that unrestricted media uploads can consume significant server storage on high-volume contributor setups.
How do I add users to WordPress without giving them dashboard access?
Assign the Subscriber role, which limits the user to their profile page within the dashboard. For complete front-end-only access (e.g., membership sites), use a plugin like MemberPress or Restrict Content Pro that bypasses the standard dashboard entirely and presents a custom front-end account interface.