How to limit what users can do in WordPress for extra security

Letting other people access your WordPress site introduces security risks but sometimes it can be desirable to create accounts for people. You need to lock them down for security.

Gaining access to a WordPress site is not easy but bugs and flaws in the CMS and in plugins can sometimes allow skilled and knowledgeable hackers to take control.

It makes the process a lot easier if a hacker can log into a site with an account. Letting people log into your site is a security risk and for this reason you should limit who has a WordPress account and what they can do if they log in.

Why let people log in?

There are several very good reasons for letting people log into your site, for example:

  • Restricting comments to people that are logged in to avoid spam
  • Letting people contribute to the site as a guest poster
  • Employing a VA (virtual assistant) to perform tasks on the site
  • Building an editorial team
  • Building a membership site

Restrict members with roles

When an account is created in WordPress, the person is assigned a role and this limits what they are allowed to see and what they are allowed to change.

Go to Settings > General and about half way down the page is this:

WordPress membership settings

Choose whether to let anyone register and create an account. Clear the checkbox to stop the general public, and hackers, from creating an account on your site. You, as an administrator, can still create accounts for people by going to Users > Add New.

This is the most secure setting for WordPress and it puts you in control of who has accounts.

However, you may want to allow people to create their own accounts, such as if you limit commenting to people logged in.

In this case, set the New User Default Role to Subscriber in the pop-up list. They are in order with those with the least power and permissions at the top and those with the most at the bottom.

Plugins can add to this list and modify it, so you may see other account types, such as for members if you have a membership site or for affiliates if you run an affiliate scheme, and so on. Plugins can pretty much do what they want.

What can users do?

  • Subscriber: Read articles on the site, post comments
  • Contributor: Write articles in the post editor, but not publish
  • Author: Publish and edit their own posts
  • Editor: Publish and edit anyone’s posts
  • Administrator: God mode with the power to do anything!

Try the roles with a test account

That list is a very simple explanation of what each user can do and there is more to it than this. I strongly suggest you create an account on your site by going to Users > Add New. You need an email address, but if you have Gmail for example, add a . (dot) in your name like bob.smith@gmail… to create an extra email address. All emails end up in your inbox.

Set the account to Contributor and log in (yoursite.com/wp-admin) using an incognito/private window in your browser and see what you can see. Can you create a post? Publish it? Upload images to the media library? Delete anything? See any admin stuff?

Log out. Change it to Author and log in again in an incognito window and see what you can see and do now. Try it as an Editor.

If you find that users can access things you don’t want them to see, check plugins for options to limit access to administrators.

What you wish users could/couldn’t do

I find the default WordPress roles too broad and a Contributor has too little power and an Author has too much.

For example, a Contributor can write an article using the WordPress post editor, but they cannot upload any images. They can write text only. This is not very useful if you want people to contribute articles to your site.

Set someone as an Author and it gives them too much power and not only can they upload images, they can publish posts too. Do you really want users to publish and have a post go live on the site without you checking it first?

A better solution would be a role half way between Contributor and Author with the power to upload images with their posts, but not to publish without your permission. This can be achieved with plugins.

User Role Editor WordPress plugin

User Role Editor is a very popular plugin for WordPress with over half a million active installations and an excellent score.

  1. Go to Plugins in the sidebar
  2. Click the Add New button
  3. Enter user role editor into the search box
  4. Click the Install Now button
  5. Click the Activate button
  6. Access it by going to Users > User Role Editor

Select a user type at the top of the page, such as Contributor, Author or Editor and the long list of checkboxes below is updated to show what a use with this role can do. Select a Group on the left to filter the list to just the features you are interested in, such as posts.

User Role Editor plugin for WordPress

Most of the items are fairly obvious but some are not. For example, ignore the create_posts checkbox on the All group because it is not used. The edit_posts checkbox gives users access to the post editor, so they can add new posts.

There are many settings like:

  • delete_posts: User can delete their own posts
  • delete_others_posts: User can delete anyone’s posts

This is one of the differences between an Author and an Editor. An Author can delete their own posts, but not others. An Editor can delete anyone’s post.

A Contributor cannot upload files, so they can’t add images to the posts they write. Select the Contributor role, Select All on the lefty, find upload_files in the list and tick the checkbox. That capability is added to Contributors, but without having to upgrade them to Author, which adds a whole bunch of other permissions you might not want them to have.

An alternative method is to click the Add Role button and create a new role SuperContributor, or whatever you want to name it, with the extra capability to upload files to the media library.

User Role Editor is very flexible and it gives you the option to create new roles or customise the existing ones. It is recommended if you allow people to have accounts on your WordPress site.

WPFront User Role Editor WordPress plugin

WPFront User Role Editor has far fewer users at 60,000 active installations but that is still a lot and it also has a good rating, so it is worth considering.

  1. Go to Plugins in the sidebar
  2. Click the Add New button
  3. Enter wpfront user role editor into the search box
  4. Click the Install Now button
  5. Click the Activate button
  6. Access it by going to Roles in the sidebar

Select Roles > All Roles and you can see a list of all the user roles and you can filter them by having users, having no users, built in, and custom. Mouse over a role and a WordPress style menu appears with Edit, Delete and Default options.

WPFront User Role Editor plugin for WordPress

Click Edit under a role and a list of all the permissions appears with checkboxes. You can see what each role can do and add or remove capabilities by ticking or clearing the checkboxes. A nice feature is the way that capabilities are organised into categories like Posts, Media, Pages and so on.

WPFront User Role Editor plugin for WordPress

There is an option to create new roles and this can start with a blank sheet or it can copy an existing role that can then be customised as you prefer. The plugin creates a couple of extra roles that you can keep or delete – SEO Manager and SEO Editor.

Action points

  • Limit the number of users who can log in to your site
  • Don’t let the public login if they don’t need to in Settings > General
  • If people must login, set the role to Subscriber in Settings > General
  • Keep users on the minimum role they need to do their job
  • Check what each user role can do with a test account
  • Use a user role plugin to create or limit user roles if you need to

WordPress security Course Contents

  1. How to change the WordPress admin user to something different
  2. Make your website more secure by using strong passwords
  3. How plugins damage the security of your WordPress website
  4. How to use and customise user roles in WordPress
  5. How to recover from website problems with a WordPress backup
  6. How to increase website security with a plugin for WordPress
  7. How to make your WordPress website secure and deal with threats