This checklist defines how WordPress user roles and capabilities are assigned and managed. Its purpose is to enforce least‑privilege access while ensuring users can perform only the tasks required by their role.
User access decisions made here affect security, editorial workflow, and long‑term site stability.
Checklist Objective
Assign WordPress user roles and capabilities intentionally to prevent unauthorized access, accidental changes, and privilege escalation.
Preconditions
- WordPress is installed and accessible
- WordPress Setup 01 — Baseline Installation & Core Settings is completed and approved
- No custom roles or capability modifications exist yet
Checklist Steps — Default Roles
- Review default WordPress roles.
- Administrator
- Editor
- Author
- Contributor
- Subscriber
- Confirm role intent.
- Administrators manage site configuration
- Editors manage content, not system settings
- Authors and Contributors create content only
Checklist Steps — Role Assignment Rules
- Assign Administrator access sparingly.
- Limit Administrator role to required accounts only
- Avoid shared or temporary admin accounts
- Assign editorial roles intentionally.
- Use Editor role only when editorial oversight is required
- Use Author or Contributor roles for content creation
- Disable public registration unless required.
- Confirm user registration is disabled by default
- Document any exceptions
Checklist Steps — Capability Governance
- Avoid modifying default capabilities unless necessary.
- Do not add custom capabilities without documentation
- Avoid role creep over time
- Review capability changes during audits.
- Confirm roles remain aligned with intent
- Remove excess permissions
Required Output
- User roles assigned intentionally
- Administrator access limited and documented
- Editorial roles aligned with workflow
- No undocumented capability changes present
Pause & Lock
Once approved, user role and capability assignments become locked inputs for plugin installation, content creation, and ongoing operations.
Changes require documented justification and review.