How WordPress User Accounts Work

One of the essential features of the WordPress CMS is the availability of predefined user roles. These WordPress roles segregate your website users by allocating them with a fixed set of capabilities. Assigning users roles is an important part of running a multi-user WordPress site. They ensure users only have access to the areas they need, minimizing the chances of any accidents or violations happening that could potentially bring down your website.

We can't stress enough the importance of keeping your user accounts secure by using strong passwords and avoiding the "Admin" account name. WordPress users often make the mistake of leaving the default username "Admin"; it's a big security concern since the username accounts for half of a users login credentials meaning you're making a hacker's job 50% easier.

To find your current user roles login to your WordPress Admin panel in WordPress, navigate to Users and click All Users to see all current user roles currently in place. The default Admin role typically is held by the site owner. User permissions can be controlled effectively from the User Role editor that opens when you select a specific user.

The account created during WordPress installation is an Admin account. To give access to another person, you need to create a new user for them and assign that account a role that will allow them appropriate capabilities. It is crucial that each user has their own user account to ensure security and proper management of user roles. For instance, someone subscribing to your blog would naturally fit the permissions allocated to the Subscriber user role. Before adding a new user to your site, you should think about which capabilities they need to perform their job correctly.

Follow these steps to create a new user:

1. Click Users in your dashboard and hit the Add New button located at the top of the page.

2. On the Add New User page, you need to fill in user information fields for each new user: Username, E-mail, and Password, First and Last Name (optional), the website for your account, and finally, assign the desired role for the user from the dropdown list.

3. Once you're done, click on Add New User to complete.

4. To be sure you've successfully created a new user, log in using the credentials you've just created. If all the rights are defined as you want them, pass the credentials on to the specific user.

Managing users in WordPress involves efficiently creating, editing, and controlling user roles. Should an Author be promoted to an Editor, for example, you will need to reflect these changes in their WordPress capabilities, so that they can carry out their new role successfully.

To change an existing user role:

1. Head to the Users area of the admin panel, check the user in question and click the drop-down box Change Role to, this will bring up a list of user roles.

2. Select the new role required and hit the Change button.

It's also possible to change user roles manually in the database via phpMyAdmin, but before making any changes to your database, we strongly recommended to make a backup. To change users manually from your database, refer to this guide.

There are times when a user is no longer required and you'll want to delete their user account. Follow these steps to delete a user from your site:

1. Select User from your dashboard and click the Delete link located beneath the username.

2. WordPress will ask 'What should be done with content owned by this user?' You have two choices:

• Delete all content – Select this to delete all content this user created.

• Attribute all content to – This option allows you to assign the content linked to this user to another user of your choosing. Select the required user from the dropdown list.

3. Select the appropriate option and click Confirm Deletion to remove the user.

A user role defines the permissions a user has within your WordPress installation. It allows them to perform tasks appropriate to their place in your organization. By default, individual WordPress installations have five distinct user roles with predefined capabilities: Administrator, Editor, Author, Contributor, plus any Subscribers you have. Multi-site installations feature the additional Super Admin role.

Each user role comes with certain privileges. They can all access the dash, but their assigned role limits their operations. By understanding how each user role works, you'll be able to make an informed decision about which roles suit specific users on your site.

WordPress assumes that your site has multiple contributors who are allowed to do certain things to your site. Each of the five roles has its own capabilities ranging from administrative tasks, writing content, content management and more and this platform allows you to segregate users as per your site needs.

Even if you anticipate yourself as the sole contributor to your site for the foreseeable future, you may wish to expand at some point, and WordPress user roles are worth bearing in mind. For instance, you might choose to hire a regular guest post writer, in this case, "Contributor" is an ideal fit.

Super Administrator

The Super Administrator role is not available on regular WordPress installations; it's unlocked if you run a multisite WordPress network. This role has the most privileges; as Super Admin you can have access to the entire website and network administration features, you may add or delete websites within the network and perform network-wide operations.

Administrator

The Administrator is regarded as the most powerful of the five default users on a regular WordPress install because it provides users with full hold over the website. This role is defined when a user installs WordPress The Administrator, (known as Admin) user role is created using the username and password created during the installation.
The Admin is the only user with permission to create new users, and modify and delete existing ones. As an Admin, you have access to all administration features such as adding, deleting and editing information from all other users and have complete control over site content. An Admin may add, delete and modify themes, plugins and core settings at any time.

Since this role has unlimited access to core website functions, it's best reserved for users who need full control over all website settings. Since it would be a bad idea for this to be in the wrong hands, in most cases, a site will have just one administrator. Typically, the site owner will hold this position. If you have multiple sites installed on WordPress, some of the abilities of the Admin are instead available to the super admin role. This is logical since the Super Admin administers the site network while the Admin is concerned with managing a single site.

Editor

As you'd expect from an editor, the Editor role holds the highest position in overseeing a WordPress website's content. The only role higher than the Editor regarding privileges is the Admin, who can perform site management tasks as well as manage and delete content as per this role. Users assigned the Editor role have total control over website content, their rights mean they can manage posts such as write, edit and publish and have the power to delete their own posts and pages, this includes those written by anyone else. The Editor can also view comments and moderate, alter, and delete them as they see fit.

An Editor's rights go beyond content management. They may also manage categories add or delete tags and even upload files. Aside from having open access to all content related aspects of your site, the Editor won't have access to your site's settings, plugins or users.

Given that Editors traditionally review posts submitted by contributors, it's smart to never assign this role to a regular contributor due to the generous permission included. Since they can delete published posts, we recommend only assigning the role of Editor to someone you trust. If you're still unsure about giving anyone so much free reign on your website, limit the rights of the role. Remember, every user role can be tweaked to meet your needs.

Author

Users with the Author role have complete control over their content. They may add, edit, publish and delete their own posts and upload images. They can also edit and delete their WordPress profile. Authors have no access to content produced by other users. They are also blocked from creating categories or doing anything to the pages on a site.

You might notice an author displayed on a website's authors pages. They may give biographical information about themselves alongside a built-in archive page displaying a list of posts they've written. It's possible to customize the Author, as displayed to readers to include photos and extras including their name, location, social profiles and so on.

This role isn't used much in practice since Authors can delete their published posts and images, and edit their own published articles, which could cause problems for site owners. If you plan a website with multiple Authors, you might want to consider the Contributor role. Assigning the users the Contributor role is a safer bet to avoid the risk of miscommunication, or workers deleting their content if you fire them, for example.

Contributor

The Contributor role is a restricted version of the author role. A user with this role can write new posts and edit existing posts but can't publish or delete them once they are published. A Contributor submits their work for review by an Editor or an Admin before it's published. It's worth noting that Contributors can't access the media library which means they can't upload images to their posts without assistance.

This role is a good choice when you want to allow other people to write for your website since they can't access any of the features of the admin user role such as altering your site's design, uploading or removing plugins or creating new categories. They can, however, use existing categories to add tags to their posts. A Contributor may view comments, even those which are in moderation but, they can't modify, approve or delete them.

Subscriber

The Subscriber is the default role for new site users, and it has the fewest permissions. If this role stays with the default capabilities, it is the most limited of all the WordPress user roles. A Subscriber can create a profile on a WordPress website, read its content and post comments. They have no access to any site settings and can't create or amend any content.

You may modify the default settings to allow users to log into your site and leave comments without having to enter their details each time which is useful for people who frequently read your blog and actively comment which makes the whole process much easier and faster for readers. You may also use this role to deliver additional content to your readers, such as newsletters. It may encourage your users to register if they want to access otherwise blocked content. Anyone who has subscribed to your website using an RSS feed, mailing list or feature to receive updates from your site is a Subscriber.

WordPress' predefined user roles do a good job of offering capabilities that fulfill the requirement of most websites, however there may be cases where you need a user who doesn't fit within one of the default role parameter settings. For instance, you may want to customize the user Author role. which traditionally can delete their posts once they are published, which could cause problems. To counter this, you may modify existing WordPress user roles and create custom users with the help of a plugin, or manually from the WordPress Admin.

Additionally, incorporating a user registration form can significantly enhance user experience and interaction on your website, especially for member-based and e-commerce sites.

WordPress software lets you remove its default user roles and create custom users. This is simply a matter of assigning limited privileges to specific user groups. Follow this guide to create a user role the manual way.

You might prefer to use a plugin to control user roles; there are lots available to add, modify and delete user roles and capabilities. The free Members plugin gives you total control over your site's users by extending the rights of the default roles. With this plugin, you may modify existing user roles as well as create a custom function for your site users. You may add this plugin directly from your WordPress plugins directory. Once the Members plugin is installed and activated, you can begin creating new user roles:

1. Head to your dash, hover over Users and find the new option included with the Members plugin; Add New Role. Click here to open the Create a Custom Role screen.

2. Begin by giving the role a memorable name, for example, you might give the role a name like "Author Pro" to provide extended functionalities to the most experienced authors on your site. Now tick the checkboxes to assign and deny the capabilities for your new user role. To finalize, click Add Role. Your new user role is now ready to use.

To customize an existing user role with the Members plugin follow these steps:

Once successfully activated, this plugin will add two new options to the default Users in your WordPress dashboard; Roles and Add New Role. Click Roles to view all existing user roles available on your site. Click on a role to see which functions are available to the user. You'll now see the rights granted to the specific role. From here you may grant additional rights or deny existing rights, there are many capabilities to specify for any user role with this plugin.

Check the checkbox grant to add a right or select deny to block it. For example, if you want to grant an Editor access to the Create Users function, open the Editor role and tick the grant checkbox next to create_users. In the default setting, this function was limited to the Admin alone.

Click Update to confirm your changes. You've successfully customized a default WordPress role.

This plugin affords you true flexibility. Consider the Author role - you may update this role with new a restriction on deleting posts. To do so, simply click the checkbox next to Deny for the delete_posts function from the Author user role setting. As we've demonstrated, the Members plugin offers great value for a free plugin; you get peace of mind your users aren't mishandling your website. This type of plugin is ideal if your site is on the verge of growing and you foresee needing more hands on deck to handle it.

There are many other plugins designed for User Role administration including the User Role Editor. This free plugin makes an easy job of user access management. Editing roles with this plugin is slightly more straightforward, and it has some extended features. It not only supports core capabilities but it also list capabilities for any additional functions you have defined through your website plugins and themes.

Other notable plugins include Capability Manager Enhanced, a simple tool for managing WordPress user role capabilities, the Cimy User Extra Fields plugin lets you add predefined fields to users profiles and Force Strong Passwords forces your users to create strong passwords to access your site.

User account security is a critical aspect of managing a WordPress website. Ensuring that user accounts are secure helps protect your site from unauthorized access and potential security breaches. Here are some best practices to consider:

• Use strong passwords – Encourage users to create strong passwords that are difficult to guess. A strong password typically includes a mix of uppercase and lowercase letters, numbers, and special characters. You can use plugins like Force Strong Passwords to enforce this policy.

• Two-factor authentication – Adding two-factor authentication (2FA) provides an extra layer of security for user accounts. With 2FA, users must provide a second form of identification, such as a code sent to their mobile device, in addition to their password. Plugins like Google Authenticator can help implement this feature.

• Limit login attempts – Limiting the number of login attempts can prevent brute-force attacks, where hackers try multiple password combinations to gain access. Plugins like Limit Login Attempts Reloaded can help you set a limit on the number of failed login attempts before temporarily locking out the user.

• Secure login page – Ensure that your login page is protected by HTTPS, which encrypts the data transmitted between the user's browser and your server. This helps prevent sensitive information, such as passwords, from being intercepted by malicious actors.

• HackGuardian partial read-only mode – Activate HackGuardian to place your WordPress file system in a secure, partial read-only state. This prevents unauthorized changes to critical files while allowing normal site functions to continue. It's a simple, built-in EasyWP tool that enhances protection against file-based attacks without affecting performance.

By following these best practices, you can significantly enhance the security of user accounts on your WordPress website, protecting both your site and your users from potential threats.

The users table is a vital component of WordPress website administration, allowing site administrators to manage user accounts efficiently. Customizing the users table can make it easier to handle large numbers of users and streamline user management tasks.

• Additional columns – You can customize the users table to include additional columns, such as username, email address, and user role. This provides a more comprehensive view of your user accounts, making it easier to manage them. Plugins like Admin Columns can help you add and manage these additional columns.

• Sorting and filtering – The ability to sort and filter the users table can greatly enhance your ability to manage user accounts. For instance, you can sort users by their registration date, role, or last login date. This makes it easier to identify inactive users or those who need role adjustments.

• Bulk editing – Managing user accounts individually can be time-consuming, especially for large sites. The users table allows you to bulk edit user accounts, such as changing the default role for multiple users at once. This feature is particularly useful when you need to update the roles of several users simultaneously.

By customizing the users table and utilizing its features, you can streamline the process of managing user accounts on your WordPress website, ensuring that your site runs smoothly and efficiently.