WordPress Plugin Security: User Capabilities

One aspect of plugin security which we need to take notice when developing WordPress plugin is the user roles and their capabilities. WordPress can have many user and they can have specific roles with different capabilities.

The basic roles in WordPress area:

  • Super Admin
  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

Each of this roles have different capabilities which we restrict their actions in WordPress.

This restriction can be implemented in plugin by this function


This coupled with the user capabilites as the parameter can restrict functions only to be run by the coresponding users.

For example in basic WordPress installation only users which registered as Super Admin, Administrator, Editor or Author can publish post. If we restrict functions with

current_user_can( 'publish_posts' )

then Contributor and Subscriber will be restricted.

For the official explanation of 'current_user_can' function and more complete Roles and Capabilities mappings you can go to the references below.


current_user_can (link)

User Roles and Capabilities (link)