User Security

In this tutorial, we look at ways to improve user security as part of your overall web security plan.

WordPress Security TutorialsThis tutorial is part of our tutorial series on WordPress Security. In this tutorial, we look at ways to improve user security as part of your overall web security plan.


User Security

While malicious software from unknown hackers living in some remote, distant location is often responsible for causing widespread damage to computers and websites around the world, it’s important to remember that sometimes, it’s the people closest to you that can pose even more significant security threats.

Attacks on your computer system, network and website can come from people that you have given login access to. It’s important, therefore, to learn how to take basic security precautions when other users have access to your assets.

Keeping Your WordPress Site Safe From Guests & Employees

(Note: some of the information below also applies to keeping your computer safe!)

You may have specific reasons for letting other people log into your website. For example, you may want to allow guest bloggers, reviewers, or columnists to post content under their own user accounts. To do this, they may need to be given login access with their own username and password so they can add and edit their own posts, saving you the time and work of publishing content.

Develop and implement a user security plan for your business

(Develop and implement a user security plan for your business)

Many businesses not only assign website or blog management tasks to staff members or employees, but it’s also becoming more common nowadays to outsource tasks like keeping your site or blog updated, performing SEO or social media work, or publishing/editing content to virtual assistants and administrators, service providers, online marketing agencies, and freelancers. All of this exposes your computer and/or website to a number of potential security threats.

Here are a few simple and basic rules for keeping your WordPress website safe in these situations:

NEVER Give Out Your Administration Access Details

You should always keep your admin access protected – only the business/website/blog owner should have Admin access. The reason for this is not necessarily that your guests or employees might do anything malicious with the admin access (although this has been known to happen), but that you may be opening up a security risk in that they could have their passwords broken or hacked, which could then allow someone else to get into your site through their account.

The more ways there are to access your account, the greater the likelihood that a hacker could find a way to get in.

If you have to give someone temporary admin access to your computer or your site (e.g. a web developer or software support technician), create a temporary admin account, and delete the account immediately after the work on your computer or site is completed.

If, for any reason, someone has to login to your computer or website using your admin account, at least change the password before giving them access.

After the work is done, change your password again (and also change your WordPress security keys).

To learn more about WordPress Security Keys, see the tutorial below:

Grant The Lowest Access Level Required To Users

Always grant users the lowest level of access they need to perform a task or complete a job (e.g. contributor, author, editor, etc …).

Under no circumstances should you make someone else an administrator of your site unless it is absolutely essential to do this.

To learn how to create and manage user accounts and how to assign user roles and responsibilities, see the tutorial below:

Change Passwords When Users Leave

When someone leaves your organization, whether they were employed or outsourced, make sure that you immediately change all passwords associated with their account, or simply delete their user account altogether.

Change Admin Passwords From Time To Time

Change all admin-level passwords from time to time, especially if you outsource your WordPress maintenance or administration to different people who need an admin account to login.

Delete Unused User Accounts

If you have any user accounts on your WordPress installation that are no longer required, delete them from your site.


This suggestion also applies to WordPress sites with registration forms (e.g. directory sites, free membership sites, etc …), if you notice spammers registering with fake user accounts …

User Security

Create A Security Plan For Your Business

In addition to the basic security precautions described above, make sure to develop and implement/review security plans to prevent malicious or unauthorised users from accessing other entry points to your business. This includes:


"If you're new to WordPress, this can stand on its own as a training course and will stay with you as you progress from beginner to advanced and even guru status." - Bruce (Columbus, Ohio)


Recommended Video Courses For WordPress Users

How To Set Up WordPress On LocalhostHow To Set Up WordPress On Localhost

Learn how to install, set up, and locally host a fully functioning WordPress site on your computer.

More info: How To Set Up WordPress On Localhost

Recommended Video Courses For WordPress Users

How To Back Up & Restore WordPress SitesHow To Back Up & Restore WordPress Sites

Learn how to safely and automatically backup your WordPress files and database and how to easily restore your WordPress site if something were to happen.

More info: How To Back Up & Restore WordPress Sites

Recommended Video Courses For WordPress Users

How To Use Amazon S3How To Use Amazon S3

Learn how to set up and use Amazon S3 to upload, store, manage, and protect your site’s images, large media files, downloadable files, stream videos and more.

More info: How To Use Amazon S3

Recommended Video Courses For WordPress Users

WordPress SecurityWordPress Security

Learn how to keep your WordPress site or blog secure and protected from malware, hackers and brute-force attacks.

More info: WordPress Security

Recommended Video Courses For WordPress Users

How To Use FTPHow To Use FTP

This video course shows you how to use FTP (File Transfer Protocol) to transfer and upload files between your hard drive and your server using a free FTP program called Filezilla.

More info: How To Use FTP

Recommended Video Courses For WordPress Users

How To Use cPanelHow To Use cPanel

cPanel is a powerful and simple-to-use web hosting management software application that gives website owners the ability to quickly and easily manage their servers and websites using a simple and intuitive dashboard.

This video course will teach you how to use the main features of cPanel to manage your web hosting.

More info: How To Use cPanel

Recommended Video Courses For WordPress Users

Using Password ManagersUsing Password Managers

Password Managers provide an easy and secure way to keep track of all your passwords. This video course shows you how to use two FREE powerful password management tools.

More info: Using Password Managers

Author: Martin Aranovitch

Martin Aranovitch is the owner of and the author of The WordPress User Manual. provides hundreds of FREE tutorials that show you how to use WordPress to grow your business online with no coding skills required! Get our FREE "101+ WordPress Tips, Tricks & Hacks For Non-Techies" e-course with loads of useful WordPress tips!

Originally published as User Security.