What is a user?

Each WordPress user has, at the bare minimum, a username, password, and email address.  Once a user account is created, that user may log into the WordPress Admin or log in programmatically to access WordPress functions and data.

Users are assigned roles, and each role has a set of capabilities.  You can create new roles with their own set of capabilities.  Custom capabilities can also be created and assigned to existing roles or new roles.

Principle of least privilege

The principal of least privilege refers to the practice of giving a user account only the privileges that are essential to that user’s work.

In WordPress, developers can take advantage of user roles to limit people or scripts to perform only those actions they should be allowed to do and no more.

This enables the administrator to open registration with a very basic (Subscriber) level of access for new users, without worrying about those users doing things they shouldn’t.