User Security

In this tutorial, we look at ways to improve user security as part of your overall web security plan.

WordPress Security TutorialsThis tutorial is part of our tutorial series on WordPress Security. In this tutorial, we look at ways to improve user security as part of your overall web security plan.


User Security

While malicious software from unknown hackers living in some remote, distant location is often responsible for causing widespread damage to computers and websites around the world, it’s important to remember that sometimes, it’s the people closest to you that can pose even more significant security threats.

Attacks on your computer system, network, and website can come from people that you have given login access to. It’s important, therefore, to learn how to take basic security precautions when other users have access to your assets.

Keeping Your WordPress Site Safe From Guests & Employees

(Note: some of the information below also applies to keeping your computer safe!)

You may have specific reasons for letting other people log into your website. For example, you may want to allow guest bloggers, reviewers, or columnists to post content under their own user accounts. To do this, they may need to be given login access with their own username and password so they can add and edit their own posts, saving you the time and work of publishing content.

Develop and implement a user security plan for your business

(Develop and implement a user security plan for your business)

Many businesses not only assign website or blog management tasks to staff members or employees, but it’s also becoming more common nowadays to outsource tasks like keeping your site or blog updated, performing SEO or social media work, or publishing/editing content to virtual assistants and administrators, service providers, online marketing agencies, and freelancers. All of this exposes your computer and/or website to a number of potential security threats.

Here are a few simple and basic rules for keeping your WordPress website safe in these situations:

NEVER Give Out Your Administration Access Details

You should always keep your admin access protected – only the business/website/blog owner should have Admin access. The reason for this is not necessarily that your guests or employees might do anything malicious with the admin access (although this has been known to happen), but that you may be opening up a security risk in that they could have their passwords broken or hacked, which could then allow someone else to get into your site through their account.

The more ways there are to access your account, the greater the likelihood that a hacker could find a way to get in.

If you have to give someone temporary admin access to your computer or your site (e.g. a web developer or software support technician), create a temporary admin account and delete the account immediately after the work on your computer or site is completed.

If, for any reason, someone has to login to your computer or website using your admin account, at least change the password before giving them access.

After the work is done, change your password again (and also change your WordPress security keys).

To learn more about WordPress Security Keys, see the tutorial below:

Grant The Lowest Access Level Required To Users

Always grant users the lowest level of access they need to perform a task or complete a job (e.g. contributor, author, editor, etc …).

Under no circumstances should you make someone else an administrator of your site unless it is absolutely essential to do this.

To learn how to create and manage user accounts and how to assign user roles and responsibilities, see the tutorial below:

Change Passwords When Users Leave

When someone leaves your organization, whether they were employed or outsourced, make sure that you immediately change all passwords associated with their account, or simply delete their user account altogether.

Change Admin Passwords From Time To Time

Change all admin-level passwords from time to time, especially if you outsource your WordPress maintenance or administration to different people who need an admin account to log in.

Delete Unused User Accounts

If you have any user accounts on your WordPress installation that are no longer required, delete them from your site.


This suggestion also applies to WordPress sites with registration forms (e.g. directory sites, free membership sites, etc …), if you notice spammers registering with fake user accounts …

User Security

Create A Security Plan For Your Business

In addition to the basic security precautions described above, make sure to develop and implement/review security plans to prevent malicious or unauthorized users from accessing other entry points to your business. This includes:


"If you're new to WordPress, this can stand on its own as a training course and will stay with you as you progress from beginner to advanced and even guru status." - Bruce (Columbus, Ohio)


Originally published as User Security.