User Management for WordPress

One of the most basic ways to keep your site safe is to have a good user management policy or approach to your site.

Giving people a user account with access to your site is like giving them a copy of your house keys — make sure you trust them, make sure they’re trustworthy, and if for some reason they don’t need them anymore, make sure to get them back.

As the owner of a WordPress site, your account will be an admin account which means that when logged in, you will have full and unlimited access to all aspects of your site. This includes editing, creating, and deleting content; changing site, theme, and plugin settings; and adding or removing further user accounts.

To keep safe, follow these simple rules.


Rule #1: No sharing

So the absolute first rule of good user management is to never share your root or admin password with anybody else. If somebody else requires admin access, they should get their own account.


Rule #2: Use a strong password

Your account needs to have a password that is not only unguessable by other people — but also by computers. The best thing you can do is to use a LONG password and avoid using common words, phrases, or number combinations. For more detail on this read the passwords topic.


Rule #3: Everyone should use a strong password

There’s little point in you keeping your house keys safely tucked away if your flatmate leaves theirs on the doorstep. Make sure that anyone else who has a user account also uses a strong passwords.


Rule #4: Be stingy with access levels 

As you add account for other users don’t just default to providing admin access to everyone just because its convenient to you in the short term. A designer or developer will definitely need admin access if they are maintaining your site but an author or contributor should have a more limited role.


Rule #5: Enforce two-factor authentication 

Make sure that all user accounts with an access level higher than subscriber are required to login to your site with additional security. For how to do this read the full two-factor authentication article.


Rule #6: Remove unused accounts

If for whatever reason an individual no longer needs access to your site don’t delay in removing their access. Just remove their account immediately.