Many times we have come across sites that have given their user the keys to the kingdom. What we mean by this is that almost every internal user was given the “administrator” role. This is a no no, WordPress by default comes with a default set of roles:
This is role is someone that has access to everything across multiple sites within WordPress Multisites
This role is not something you have to worry about to much as it does not appear in WordPress unless you are running WordPress Multisite.
This is role is someone that has access to everything within a site.
Access to modify themes & plugins, enable or disable them, install or remove them.
Access to create, modify or delete pages.
A lot of damage can be done with this account if you do not know what you are doing.
There should only be one person maximum 2 to 3 knowledgeable people with this level of access. Not everyone
This role is someone who can not only publish & manage their content “Pages & Post” but can also publish & mange the content of others.
Even though this role can publish, add, edit & delete content and pages they can not get into the core settings of the site.
This role is intended for your editorial staff “A select few”
This role is someone that can only Add, Edit, delete & publish their own “post” and has no access to pages
Your Authors or Blog Writers
This role is someone that can edit & delete post but can not publish and has no access to pages.
Your Blog Writers
This is someone that only has “Read”capabilities.
Hopefully this helps you out to get a better understanding of the permissions so that way you can secure your site and protect yourself from an accidental loss.