WordPress User Roles and Capabilities in the Database

Several of our PublishPress plugins allow you to control what users can do on your WordPress site. These plugins allow you to change user permissions via the WordPress admin area.

However, there's a lot going on behind the scenes. PublishPress customers often have questions from users about WordPress permissions and where they are stored in the database. This post is an introduction to those database tables.

One thing to note: although most people refer to “user permissions” or perhaps “user access”, WordPress uses the word “capabilities”.


WordPress user roles in the database

WordPress user roles are stored in the wp_options table.

Look for the option called wp_user_roles:

Wp User Roles
Wp User Roles

All of the roles are stored in wp_user_roles, along with the capabilities for each role. All this data is stored in a single serialized array. This is not always very efficient and can cause problems on large sites.

User Roles Data
User Roles Data

The simplest entry is for the Subscriber role.

s:10:"subscriber";a:2:{s:4:"name";s:10:"Subscriber";s:12:"capabilities";a:2:{s:4:"read";b:1;s:7:"level_0";b:1;}}

Other roles have more capabilities, so their entries are more detailed. For example, this is the entry for the Author role.

s:6:"author";a:2:{s:4:"name";s:6:"Author";s:12:"capabilities";a:10:{s:12:"upload_files";b:1;s:10:"edit_posts";b:1;s:20:"edit_published_posts";b:1;s:13:"publish_posts";b:1;s:4:"read";b:1;s:7:"level_2";b:1;s:7:"level_1";b:1;s:7:"level_0";b:1;s:12:"delete_posts";b:1;s:22:"delete_published_posts";b:1;}}

The Administrator role is too long to list in this post.

The capabilities in this list are human-readable. You can see the upload_files and edit_posts entries alongside others. You'll also mention of a user role level which is set to 0 for a Subscriber and 10 for an Administrator.

It's worth noting that these lists can become long and messy. Many plugins will add new capabilities when you install them, but they rarely delete those capabilities when they are uninstalled.

Editing this data manually is difficult. We recommend using a plugin such as PublishPress Capabilities which provides a user-friendly interface for editing these settings. Any changes to user permissions are stored to the database, so it helps to have this rollback feature in case you make a mistake.


WordPress users in the database

Basic information about WordPress users is stored in the wp_users table. You can see two user entries in the image below.

User Wp
User Wp

The wp_users table only contains the core data about each individual user. Here is the full entry for the one of the two user entries:

User Table Data
User Table Data

You'll notice that now roles or capabilities are defined here. For that, you'll need the wp_user_meta table. This table has multiple entries for each user. In the screenshot below, you can see that see that wp_user_meta is using the user_id of 2 for Bob Smith.

User Meta
User Meta

The wp_capabilities option contains the user role for each user.

Bob User Meta
Bob User Meta

Here are some example values for wp_capabilities:

This values can be extended by plugins that allow user to have multiple roles. This is a entry is for a WordPress user who also has a role with the bbPress plugin:

a:2:{s:13:"administrator";b:1;s:13:"bbp_keymaster";b:1;}

Finally, I will note that this guide applies to almost all WordPress plugins but some plugins such as bbPress do take a different approach.


Summary

There's a lot more that can be said about WordPress role and capability data, but I wanted to create a fairly straightforward introduction for PublishPress users.

Please let us know in the comments if you have questions. I'll aim to answer them by expanding this post, or in follow-up tutorials.

Leave a Reply

Your email address will not be published. Required fields are marked *