WordPress offers a variety of built-in user roles; some third-party plugins introduce their own. (E.g., WooCommerce creates the Customer role for users who have made a purchase.)
In WordPress, each role is equipped with a variety of capabilities; for example, the capability to create or edit a post, install or deactivate a plugin, or manage other users.
Users can be added to your site automatically (e.g. created when someone buys something in WooCommerce) or manually.
Creating a New User
Simply log into your WordPress administrator’s panel, then click Users > Add New in the left-hand nav.
Next, provide the requisite details. You can either create a password or let WordPress assign one. (Your new user can change it for themselves as soon as they log in.)
Most of the time, you’ll be creating one of the following three roles. Note that you can always adjust a user’s role — either granting privileges or revoking them — at a later time.
An administrator can do absolutely anything, including creating, editing or deleting content, activating or de-activating plugins, creating or adjusting users and more.
An editor can create, edit or delete anyone’s content, but does not have rights to manage plugins or perform other administrative-level functions.
A contributor can create and edit their own content, but cannot publish it or manipulate another user’s content.
Best Practices for User Management
Following are a series of recommended best practices which will help to keep your website secure.
As with anything related to the security of your website, an ounce of prevention is often worth a pound of cure.
Every privileged user creates an additional window of opportunity, however small, for an attacker to exploit. Even if an individual user has earned your complete trust (and we hope they have!), the fact is that anyone may be unintentionally careless with their login, or even just plain unlucky.
For this reason, we recommend you:
- Do not share your own login with someone else who needs access. Rather, create an appropriately privileged account for their use. This makes it easy to see who has done what and, if necessary, to revoke access or re-assign their content to a different user.
- Grant each new user only the minimum role necessary. In other words, someone who is merely publishing content on your behalf does not need Administrator-level access.
- Review your list of privileged users from time to time. It can happen that a hacker has gained access to your website and silently created one or more user accounts in their name; you may also have worked with an employee or contractor at one time who no longer needs access.
- Revoke any rights which are no longer needed. You can either remove an account altogether (taking care to re-assign any of that user’s content so it is not lost) or simply downgrade their role (e.g. to a Subscriber).
- Let Webster Park be. Finally, please note that all Webster Park hosted websites will show an administrator-level Webster Park user, which we use to help keep your website up-to-date and to assist in any troubleshooting efforts you require. Please do not delete or otherwise adjust this user.
- Log into your WordPress administrator’s panel to create a new user (click Users > Add New.)
- Do not share your login with someone who needs access: create an account for them, which grants them only the privileges they need to perform their job, and no more.
- Review your list of privileged users from time to time; if a user no longer needs the privileges they once had, either downgrade their role to Subscriber or remove their account altogether (taking care to re-assign any of their content first).
- If we host your website, please do not tamper with the Webster Park user, which helps us to keep your site up-to-date and to quickly assist in any troubleshooting efforts you may ask us to undertake.