When developing a front-end user center in WordPress, we often run into a problem: users with the contributor or subscriber role cannot upload attachments. Some people may think this is a WordPress bug, but it is not. It is a deliberate security choice. In any web application, user-uploaded files can be risky, because we never know what a malicious user may try to upload.
To reduce that risk as much as possible, WordPress simply does not grant front-end file upload capability to contributors and subscribers by default.
Grant file upload capability to contributors and subscribers through the roles and capabilities API
In WordPress, the capability that controls file uploads is upload_files. If you want contributor or subscriber users to upload files too, you can use the WordPress roles and capabilities API to add that capability to those roles.
The following example adds file upload capability to contributor users. Copy the code into your theme’s functions.php file.
if ( current_user_can('contributor') && !current_user_can('upload_files') )
add_action('admin_init', 'allow_contributor_uploads');
function allow_contributor_uploads() {
$contributor = get_role('contributor');
$contributor->add_cap('upload_files');
}Bypass role restrictions through media upload functions
Another option is to build front-end file upload functionality with WordPress media upload functions directly. Uploads handled this way are not restricted by the WordPress role and capability system in the same way.
We have already introduced several related approaches before. If you need them, these are the articles to review:
