The default WordPress installation comes with predefined Administrator, Editor, Author, Contributor and Subscriber roles. There is no clear definition of which role is “more powerful” or “higher” because it is based on the list of capabilities assigned to a role.
The common assumption is that the role with more capabilities is more powerful however it is not accurate because “power” is very subjective and vary based on the situation. For example, for some websites, user with ability to manage online orders is more powerful than user that can manage posts and pages; or user that can delete uploads is less powerful than user with ability to create new users. It is up to a website owner to define what role is more or less powerful based on the website purpose.
When there is a need to define role levels (which role is higher or lower), I strongly suggest to utilize level_0 to level_10 WordPress core capabilities and the role with higher level_X capability can be considered as higher level role. AAM will automatically filters out users and roles with higher level and block any attempts for users with lower level to manage users and roles with higher level.
WordPress website can have unlimited number of roles however there are no core features that allow to create new or manage existing role. With AAM you have all necessary set of tools to effectively navigate and manage your complete list of roles. You can learn more from How to manage WordPress roles article.
Learn more » How to manage WordPress roles
Each role in the WordPress core is defined by 3 attributes: internal slug, role name and list of capabilities. While internal slug is something that you should not worry about as it is automatically generated based on the role name, the list of capabilities is very important part and it defines what a role is capable of doing. Role without a single capability will not be able to access the Backend side of the WordPress website.
The list of roles is stored in the wp_options database table as wp_user_roles option. The wp_ prefix is the default WordPress database table prefix and may vary depending on global $table_prefix variable that is defined is the main wp-config.php file. The stored list is a serialized associated array where the element key is an internal slug and the element value is another array with role name and list of capabilities.Array ( [administrator] => Array ( [name] => Administrator [capabilities] => Array ( [switch_themes] => 1 [edit_themes] => 1 ... ) ) [editor] => Array ( ... ) [...] )
It is not recommended to modify the raw list of roles manually and instead use provided by the WordPress core function:
Out-of-box WordPress CMS comes with several predefined roles that serve the most basic needs for smart separation of responsibilities. It also has extensive programmatic API that AAM uses to provide you with all necessary set of tools to effectively manage list of existing and custom roles.
WordPress role is the most fundamental concept behind access control and is greatly utilized by many plugins and themes. Understanding what it is and how to manage roles definitely is the step toward access control management.