One of the best parts about WordPress is that you can assign unique user roles to everyone with access to your site. Moreover, through proper WordPress user management, you can strengthen site security and boost productivity. However, you might not understand the different user roles and permissions.
Fortunately, it’s relatively straightforward to come to grips with WordPress user management. Then, you can take the necessary steps to improve your management process and safeguard your site. For instance, you can make sure to assign appropriate roles, delete dormant accounts, and monitor user activity.
An introduction to WordPress user management
If you have more than one user on your site, it’s important to prioritize WordPress user management. This can help you avoid issues and comes with other added benefits. However, you’ll first need a basic understanding of the core WordPress user roles.
WordPress user roles
WordPress user roles refer to the types of visitors on your site. Meanwhile, permissions determine the actions that each of those users can perform. A big part of WordPress user management consists of assigning the correct user roles and permissions to each person with access to your site.
In ascending order of authority, the five core WordPress user roles are subscriber, contributor, author, editor, and administrator. Subscribers have the least amount of control, whereas administrators have the most. If you run a WordPress multisite or an online store you might have additional roles to work with:
Now let’s take an in-depth look at the most common user roles in WordPress:
- Super Admin. This role is only relevant if you’re on a multisite network. The super admin has access to the network administration features, so they’re able to create/delete websites, manage the network’s themes and plugins, and upgrade the network.
- Administrator. A WordPress administrator has control over all administrative features. This enables them to delete public pages, edit the dashboard, switch themes, and export/import data.
- Editor. All editors can publish and manage posts on the website (including posts created by other users). This can involve uploading files, moderating comments, and managing categories.
- Author. Users with the author role are only able to create, manage, and publish their own posts.
- Contributor. WordPress contributors can create posts, but they can’t publish them.
- Subscriber. Lastly, subscribers have very little control of the website. In fact, all they can do is manage their profile and visit the site. This role is usually reserved for customers, members, etc.
While each role has its own set of default permissions, you’re also able to further customize them for individual users. Now let’s discuss the benefits of properly managing these user roles!
The benefits of WordPress user management
By assigning the correct roles and permissions to users, you can retain a greater level of control over what people can do on your site. When a user logs in, they’re only able to see the features that are appropriate to their role and the unique privileges you’ve assigned them.
For example, you can ensure that only those you trust, or who are qualified to do so, are able to manage comments, publish content, or edit files. You don’t need to worry about a contributor accidentally installing a poorly-coded plugin or a subscriber attempting to edit your site files. Therefore, it’s an excellent way to protect your site.
What’s more, by improving WordPress user management, you can also boost the productivity of your team and achieve a more efficient workflow. When you limit functionality for certain users, your team members can perform their tasks with greater clarity and focus.
Tips to improve WordPress user management
Now that you know a bit about user roles and permissions, let’s check out five easy tips to improve WordPress user management:
- Assign the correct user roles
- Delete dormant accounts
- Monitor user activity
- Limit user sessions
- Secure the login procedure
1. Assign the correct user roles 👤
One of the best ways to improve WordPress user management is to make sure you assign the correct user role to each person on your site. To achieve this, it’s best to carefully consider the level of access each employee or collaborator needs when you create their account. If you haven’t done this up to now, you may want to audit your existing users.
Of course, it would be simple to assign the administrator role to everyone on your team, as this would mean you’d never have to worry about someone being locked out of a particular feature that they need. However, providing the appropriate level of access at the earliest opportunity can help prevent issues down the line. What’s more, it will encourage your team to follow best practices instead of falling into bad habits.
Now let’s consider some of the permissions that go along with the core user roles. Subscribers are the lowest in the hierarchy, as they are only able to view and manage their profiles. Meanwhile, contributors can write, edit, and submit posts for review, but they can’t publish them.
The author and editor roles are typically reserved for senior users who don’t need their work reviewed. And, as mentioned, administrators have the most control. Ideally, there should only be one administrator per site.
While assigning the correct user roles is helpful, it’s also important to regularly review and update them accordingly. For instance, if staff members change roles via promotions or demotions, you should make sure their user privileges reflect this change.
2. Delete dormant accounts ✅
When performing WordPress user management, one of the most crucial steps is to delete user accounts once they’re no longer needed. If a staff member resigns or a subscriber cancels their subscription, it’s vital to make sure they no longer have access to your site.
You can do this within your dashboard by going to Users > All Users. Then, find the user you want to delete and hover over the profile. Now, all you need to do is click on the Delete link:
You’ll then be redirected to a new screen where you’ll have to select Confirm Deletion to complete the action.
You may also want to prevent logged in (but idle) accounts from becoming a threat. In this instance, you can use a tool like Inactive Logout. This plugin can automatically log out idle users, protecting your site when WordPress sessions are left unattended:
What’s more, users will see a countdown before the session is terminated. Meanwhile, you can create a custom popup message or a timeout page to present after a specified period of time.
3. Monitor user activity 🖥️
When your website is small, it can be easy to keep track of all the changes that take place each day. However, as your site grows, this can become tricky. For instance, a user may delete a file or add a wrong line of code that causes an error on your site. But it can take a while to detect the cause of such errors when you don’t know when the change occurred or which account triggered it.
That’s why it’s a good idea to install an activity log plugin such as WP Activity Log, to keep track of all changes and user actions:
Once installed, you can use a tool like this to find out the exact time and location of logins. Plus, you can identify the user account(s) used to gain access to your site in the event of a security breach.
On top of that, an activity log enables you to take note of important changes on your site, like when a new piece of content has been created, a file has been removed, or a password has been changed. In fact, you can even configure some plugins to notify you by email or text to approve certain changes.
4. Limit user sessions 🚧
It’s also a good idea to limit user sessions to prevent users from logging in from multiple locations at the same time. This can occur when a user forgets to end the previous session before beginning a new session in a different place. It can also happen when multiple people share one account.
This presents a huge security risk since your website can then be accessed by anyone that stumbles upon the logged-in session. For instance, imagine a legitimate user is logged into your site from a public location and leaves their session unattended.
In this case, your site could fall into the hands of an unknown person that has malicious intentions. Or, if that person isn’t familiar with the backend of WordPress, they might simply (and accidentally) cause an error that damages your site.
Fortunately, there are ways to limit the number of simultaneous logins on specific user accounts. For example, you can use a plugin like Loggedin:
This is the easiest way to block users from accessing one account from unlimited devices and browsers simultaneously. You’ll be able to determine the maximum number of active sessions a user can have. Then, the plugin will automatically block all new logins or terminate all old logins.
5. Secure the login procedure 🔒️
Strengthening your WordPress login procedure is an easy way to improve user management and security on your site. First, you can start by only using strong passwords that consist of numbers, letters, and special characters.
This can protect your site against brute force attacks, since weak passwords can be easy to guess or generate. If you’re concerned about remembering your new password, you can always use a password manager like LastPass.
Plus, you can enforce strong passwords from all of your users by educating your staff about security threats and asking them to regularly change their passwords. You can also suggest or require strong passwords (or passwordless logins) by using security plugins such as iThemes Security.
Additionally, you can add an extra layer of defense with Two-Factor Authentication (2FA). You can set this up with a tool like WP 2FA:
Typically, 2FA requires users to present a password along with a second key to gain entry to your site. The second key could be a code sent via SMS or email, generated in real-time. Since bots and hackers aren’t able to produce this second key, it’s an excellent way to secure your site against attacks.
User roles and permissions enable you to assign the correct level of control to your website’s visitors. With diligent WordPress user management, you can secure your site against attacks and boost productivity among your team.
To recap, here are our five tips to improve WordPress user management:
Do you have any questions about improving WordPress user management? Let us know in the comments section below!
Don’t forget to join our crash course on speeding up your WordPress site. Learn more below: