Any WordPress site with more than one person touching it needs thoughtful user management. Give everyone Administrator access and a single compromised password takes down the whole site; give everyone Subscriber access and they cannot do their job. WordPress ships with a carefully-designed role system — five built-in roles covering the common use cases, with the ability to create bespoke roles for anything unusual. This guide covers each role in detail, walks through creating and editing users, and lays out the security practices that turn user management from a weak point into a strength. UK-specific notes on two-factor authentication, account auditing and Cyber Essentials align with what the NCSC and ICO expect of properly run business sites.
Understanding WordPress user roles · The five default roles explained · Adding a new user · Editing user profiles · Managing your own profile · Deleting users and handling their content · Security best practices · Adding two-factor authentication · Plesk WordPress Toolkit SSO · Roles in WooCommerce and other plugins · Frequently asked questions
WordPress is a multi-user system. Every user has an account; every account is assigned a role; each role grants a defined set of capabilities. The design follows the principle of least privilege: each person gets only the access they need to do their job, no more.
Roles are global to the site. A user who is an Editor can edit any post, regardless of who wrote it. An Author can publish their own posts but cannot touch others'. A Contributor can write but must wait for someone higher up to publish.
Five roles exist by default. Plugins can add their own (WooCommerce adds Shop Manager and Customer; LearnDash adds Group Leader; BuddyPress adds member roles). For most UK small business sites the five defaults are sufficient.
| Role | Capabilities | Typical user |
|---|---|---|
| Administrator | Full access. Themes, plugins, users, settings, all content, database tools. | Site owner, trusted technical manager |
| Editor | Create, edit, publish and delete all posts and pages (own and others'). Moderate comments. Manage categories and tags. Cannot manage plugins, themes, users or settings. | Content manager, editorial lead, marketing lead |
| Author | Create, edit, publish and delete own posts only. Upload files to Media Library. Cannot touch other users' content. | Regular blog writer, in-house staff writer |
| Contributor | Write and edit own posts but cannot publish — posts saved as Pending Review. Cannot upload files. Cannot delete own published posts. | Occasional guest writer, freelance contributor whose work needs review |
| Subscriber | Read content and manage own profile (display name, password, email). Default role for new public registrations. | Registered reader, newsletter sign-up |
If the five defaults do not fit your exact workflow, plugins like User Role Editor (free) and Members (free) let you create bespoke roles with any combination of capabilities. Common custom roles:
Users > Add New User.
WordPress generates a strong random password by default. Keep it (copy to a password manager first) or type your own. Must reach "Strong" rating before save.
Pick from the Role dropdown. Default to the lowest privilege level that lets the user do their job. You can upgrade later if needed.
Tick Send the new user an email about their account. WordPress sends login URL and the password reset link. The user sets their own password on first login.
Click Add New User. The account is created immediately.
Administrators can edit any account.
On the All Users screen, tick multiple users, use the Change role to… dropdown, click Change. Efficient when onboarding or decommissioning a team.
From their profile page, click Set New Password. A strong password is generated. Save and share securely with the user (password manager link, not email). Alternatively, let the user go through the forgotten-password flow themselves.
Every user can manage their own profile via Users > Profile. Settings that are per-user, not global:
When a team member leaves or an account is no longer needed:
Two options:
Deleting a user cannot be undone through the dashboard. Always attribute content to another user before confirming unless you are certain the content should disappear. Recovery from a bad delete requires restoring from backup.
For employees on leave or contractors who might return, a plugin like User Deactivator or Disable Users lets you freeze an account without deleting it. Reactivate later without recreating.
Only grant Administrator access to people who genuinely need it. Most team members should be Editor or Author. Marketing freelancers rarely need Admin. Developers might need Admin temporarily — downgrade once their work is done.
Enforce strong passwords (WordPress's meter must say Strong). Use passphrases or random strings from a password manager. The NCSC's password guidance advises long passphrases over complex-but-short ones: correct horse battery staple beats P@55w0rd1.
Review Users > All Users at least every three months. Downgrade anyone whose role is higher than their current need. Delete (or deactivate) anyone no longer working on the site. Old forgotten accounts with weak passwords are a top WordPress breach vector.
Shared accounts make it impossible to track who did what, and they widen the impact of any single password leak. Every individual has their own login.
If a user with username admin exists, create a new admin account with a non-obvious username and delete the old admin (attribute content to the new one). Brute-force bots disproportionately target the username admin.
Settings > General, untick Anyone can register. Unless you run a membership or community site, you do not want the public creating accounts.
Imunify360 on smartxhosting.uk already limits login attempts at the server level. A WordPress-level plugin like Limit Login Attempts Reloaded adds defence in depth.
2FA adds a second verification step after the password — a 6-digit code from an authenticator app. Even if a password is compromised, the attacker cannot log in without the second factor. Strongly recommended for any Administrator or Editor account.
On smartxhosting.uk, the Plesk WordPress Toolkit adds Single Sign-On into any WordPress dashboard without typing credentials. One click from Plesk opens the dashboard logged in.
Relevant for user management because:
Combine SSO (for owners/admins) with 2FA-enforced standard login (for editors and contributors).
WooCommerce adds two roles on top of the five defaults:
Other plugins add their own. LearnDash: Group Leader. BuddyPress: participant, moderator. Gravity Forms: form manager. Check the plugin's documentation for its role additions.
Plugins like Dokan or WC Vendors add Vendor roles. Each vendor can only see and edit their own products and orders. Crucial for marketplaces.
Can I change a user's username?
Not directly from the dashboard. Either (1) create a new user with the correct username, assign all content from the old user to the new, delete the old user; or (2) use a plugin like Username Changer.
What happens if a user forgets their password?
They click Lost your password? on the login page, enter their email or username, receive a reset link. If email delivery is broken, an administrator can reset from Users > All Users > [user] > Set New Password or via the Plesk WordPress Toolkit's Setup panel.
Can I give a user access to only one specific page?
Not with default roles. Use a plugin like User Role Editor to create a custom role, or PublishPress Capabilities for page-level restrictions.
Is it safe to have multiple administrators?
As many as genuinely need the role. Every additional administrator is an additional attack surface. Review annually; downgrade anyone who has not needed Admin access in the last six months.
How do I export user data for UK GDPR requests?
Tools > Export Personal Data. Enter the user's email, confirm, and WordPress emails a link to download a ZIP containing every piece of data linked to that email. Under UK GDPR, you must fulfil access requests within one month.
How do I delete user data for a GDPR erasure request?
Tools > Erase Personal Data. Enter the email, confirm, and WordPress removes the user's data. Plugins must implement cleanup hooks to fully participate; most major plugins do.
Should I use BuddyPress or a membership plugin for community accounts?
BuddyPress adds full community features (profiles, activity streams, groups, messaging). Overkill for a small site with a handful of editors. For a membership site selling access to content, use a purpose-built plugin like MemberPress, Restrict Content Pro or Paid Memberships Pro.
Can I automatically assign a role to new registrations?
Yes. Settings > General > New User Default Role. Default is Subscriber; keep it at Subscriber for public registrations unless you have a specific reason to upgrade.
Do inactive users still pose a risk?
Yes. An inactive account with an old password is an easy target. Audit quarterly; delete or deactivate anyone not actively working on the site.
Can I log users out remotely?
Yes. Users > [user] > Log Out Everywhere Else. Useful if you suspect a compromised account — forces logout from every session except the current one.
Launch your WordPress site on smartxhosting.uk
UK hosting with the Plesk WordPress Toolkit, LiteSpeed Cache, Redis object caching, free Let’s Encrypt SSL, free CDN and daily backups — from £2/month.
View WordPress hosting plans →