Managing WordPress users is an administrative task that is often overlooked, yet it remains one of the most important undertakings that can greatly improve WordPress management and security. Mismanaged users can introduce security risks and create headaches, especially as the website grows. Fortunately, coming up with a user management plan is easier than you might think.
This article explores the different tools, including WordPress user management plugins, that you can use to improve your posture so that you can manage users with ease.
Table of contents
- What is user management?
- Why you need a WordPress user management strategy
- User roles and capabilities
- User Account Management options
- Enforce strong passwords for your users
- User session policies
- Restrict login times
- Disable inactive users
- Monitor user activity in WordPress
- Improve your WordPress user management
- WordPress user management – an ongoing process
- Frequently Asked Questions
What is user management?
Primarily, user management covers two things:
- User account security
- Access management
In a nutshell, user account security protects the user, while access management protects the website. Of course, there will always be some overlap, but this can help us differentiate the primary objectives.
In user account security, we look at the processes we can undertake to ensure that user accounts are as secure as possible. This includes ensuring strong WordPress passwords are used, 2FA, and login security, among other things.
On the other hand, in access management, we want to make sure that users have access to the resources they need – and not more. Typically, this includes user roles, login rights, and access logs, among other things.
Why you need a WordPress user management strategy
Users play a critical role in many WordPress websites. From eCommerce sites and membership-based sites to blogs and news sites, users make all kinds of contributions to WordPress websites.
Users, however, can also introduce certain risks. This is especially true on a multi-user WordPress site.
To this end, a user management strategy can help us mitigate those risks. A user management strategy can be implemented through policies that provide clear procedures and rules on how security and access management should function.
While this may sound complicated or abstract, WordPress and a few plugins can help us achieve all of this securely and in a scalable manner.
User roles and capabilities
User roles in WordPress underpin how we manage users and access rights. Understanding how roles work can help us improve our user management practices.
Every action that a user can undertake on WordPress is defined by a capability. For example, to publish a post, you need the publish_posts capability. WordPress roles help us avoid the nightmare of assigning individual capabilities to each user.
Capabilities are assigned to user roles instead of users directly. Once a user is assigned a role, they inherit all of the capabilities assigned to that role. Multiple users can be assigned the same role, making the process very effective. In many ways, roles define and limit user access across the website.
WordPress includes several default user roles. However, administrators are free to create custom user roles to meet specific criteria. Roles can be edited through a user role editor plugin. Many third-party plugins also create their own custom roles. For example, WooCommerce creates the Shop Manager and Customer roles.
The default user roles defined in WordPress are as follows (in order of seniority):
- Super Admin (This is the person with full access to all sites on a multisite)
- Administrator (This is the person with full access to the website)
- Editor (This role can publish and edit posts from every other user)
- Author (Can publish and manage only their own posts)
- Contributor (Contributors can write, edit, and submit posts for review but cannot publish them)
- Subscriber (The lowest tier of access, this role only gets access to their profile)
It’s worth noting that the default user role used when creating a new user account is Subscriber. With subscriber being the lowest access tier, this ensures you do not inadvertently give someone rights that they should not have.
Adding new users to WordPress
Users can be added to WordPress in one of two ways – manually through the WordPress admin panel or through registration forms.
To add a user manually, log in to the WordPress backend, then navigate to Users > Add New User. This will open the new user registration form, where you must enter the username, email, password, and user role. You can also enter additional information such as first name, last name, and the user’s website.
Lastly, you will need to assign the user a role. The default is set to Subscriber; however, you can choose any role you want from the drop-down menu. Here, you’ll find the WordPress default user roles as well as any custom user roles that you’ve created.
The default user role can be changed by navigating to Settings > General. Next, scroll down until you find the New User Default Role option. Here, you can choose one of the available roles from the drop-down menu. Click Save Changes for the changes to take effect.
You can also add new users through registration forms. You can do this through WordPress itself or by using a user registration plugin.
To enable WordPress registration, first navigate to Settings > General. Scroll down until you find Membership and enable the Anyone can register option. Do make sure that the default user role is set to Subscriber or equivalent, and click Save Changes to save.
User profile images
WordPress allows users to upload a profile image. By default, this is done through Gravatar – a free online service that allows users to create an online profile to use with different services, including WordPress.
Alternatively, you can install a plugin to upload profile images to WordPress. Plugins such as User Profile Picture enable you to upload user profile pictures using the media upload tool – the same way you upload images for pages and posts.
Assigning user roles
It is essential to always use the Principle of Least Privilege when assigning a role to a user. This means only giving the users enough privileges to do their job, not more. While assigning every user the Administrator role might be easy, such an approach will unequivocally create many more problems than it solves.
By using a user role editor, we can ensure that users are only given the capabilities they need. This is especially true if you have custom processes that do not necessarily fit within the remits of the default WordPress roles.
Adding and editing WordPress user roles
If the default WordPress user roles do not fit into your website operations, you can edit existing user roles or even create new custom user roles. WordPress doesn’t offer this capability straight out of the box. Technically, you can edit the database; however, using a plugin is by far the easier route.
One such plugin is User Role Editor. This plugin allows you to edit existing roles and create new ones if required.
If you want to edit an existing role, first navigate to Users > User Role Editor. Then, head to the Select Role and change its capabilities drop-down menu, and choose the role you want to edit. Capabilities are grouped, making them much easier to find, and you can also choose to display available capabilities in ‘human readable form.’ If you do make any changes, remember to click Update to save the changes.
To create a new custom user role, first click on the Add Role option. In the Add new Role window, provide a Role name (ID) and a Display Role Name. You can also choose an existing role as a template for the new role if you would like.
User Account Management options
The WordPress dashboard provides several user account management options. While the options are pretty limited in scope and depth, they provide essential basics to help you carry out basic administrative and security tasks related to users.
To get started, navigate to Users > All Users. Next, click on the Username of the account you want to manage. Once the page loads, scroll down to the Account Management section.
Here, you will find the following options:
- New Password: Enables you to set a new password for the user
- Password Reset: Send a password reset link to the user’s registered email address
- Application Passwords
- New Application Password Name: Provide a name for the application password – used when user needs access through an API or such interface
- Add New Application Password: The actual password
- Additional Capabilities (requires User Role Editor plugin)
- Other Roles: Assign multiple roles to the user
- Capabilities: Opens the User Role Editor
- Two-factor authentication settings (requires WP 2FA plugin)
- Primary method: The primary 2FA method configured for the user
- Secondary method(s): Any secondary 2FA method the user is using
- 2FA Setup: Reset 2FA configuration: helpful if the user has lost both primary and secondary 2FA methods.
Enforce strong passwords for your users
Weak passwords are one of the biggest culprits when it comes to WordPress breaches. Therefore, the first step of effective WordPress user management security begins with enforcing strong passwords for every user, regardless of seniority.
Communicating with each user on a large WordPress site is next to impossible. Thus, you need a plugin to help administer this improved security requirement. With Melapress Login Security, you can enforce strong passwords on every user to ensure the continued security of your site.
You can customize password policies based on user role and stipulate pass requirements (such as password length, history, complexity, and use of special characters) within the plugin.
When using Melapress Login Security, you can also enforce WordPress password policies at the user registration stage. This ensures that even new users comply with your password policy from the very start, when filling in their registration form.
Add two-factor authentication
Strong passwords go a long way in protecting your WordPress. However, they are not foolproof. By adding two-factor authentication for WordPress, you’re effectively adding an additional layer of security to your login credentials that goes a long way in drastically improving the security of the login process.
2FA policies can be assigned per user role or site-wide, giving you complete control over the implementation. With multiple authentication methods to choose from, you can easily ensure that all existing users, as well as new sign-ups, enjoy strong security.
User session policies
Password-sharing is often an underestimated security risk. Not only does it increase the risk of passwords falling into the wrong hands, but it can also lead to revenue loss. The latter is especially true for membership-based WordPress sites, where passwords shared between multiple users means not everyone pays for access.
This can easily be mitigated with User Session Policies – a WP Activity Log feature that allows you to control WordPress user sessions automatically.
You can use user session policies to set policies that prohibit login sharing. Once the policy is set up, other users trying to log in with the same credentials will be stopped from logging in, limiting instances of login sharing. The policy can be set for all your users or specific roles, ensuring a fine degree of control over the implementation.
You can also terminate idle sessions automatically. You can specify the number of hours a session is allowed to idle before it is automatically terminated. Once a session is terminated, the user will need to log back in to continue what they were doing, helping you mitigate risks of certain types of attacks such as session hijacking.
Restrict login times
The principle of least privilege, as mentioned earlier in the article, can also apply to login times thanks to Melapress Login Security. The plugin offers the ability to set up Timed login policies, which allow you to restrict access when users can – and cannot – log in.
Policies can be set up site-wide or by role, giving you a fine degree of control over the implementation of timed login policies.
Disable inactive users
You can also use the Melapress Login Security plugin to enable a dormant user policy, preventing those old and unused accounts from becoming a hacking threat. However, the dormant users’ policy only applies to user accounts that will be used again in the near future.
You can also choose to delete users that have been inactive for a long time. However, do keep in mind that all user data will be lost when you delete any user account.
Monitor user activity in WordPress
Monitoring is an important part of an effective WordPress user management strategy. You can stay on top of all user activity and changes made to your WordPress website. The best way to accomplish this is by installing WP Activity Log.
Trusted by major brands such as Amazon and Intel, our plugin provides webmasters with a whole host of features. For example, it:
- Records information surrounding user logins, including IP address, time, and which account was used to gain access
- Creates a transparent activity log of all new content, users, and website settings changes
- It keeps an activity log of changes done on popular WordPress plugins such as WooCommerce, Yoast SEO, and WPForms
- Alerts webmasters of critical changes via email or SMS messages, such as changes in users’ passwords and roles
With the ability to track all user activities, including employees’ work, you can ensure they only carry out the tasks they are supposed to and not enact any website changes that put it at risk.
Real-time user monitoring
Using WP Activity Log, you can easily see who is logged in to your WordPress website or Multisite Network in real-time. Here, you can easily view:
- Logged-in users and their WordPress user role
- When their session started and when it will expire if the user does not log out
- The source IP address from where the user is connecting
- The users’ latest change on the WordPress site
- On which website is the user logged in (in case of a multisite network)
Through real-time user monitoring, which is available through the WordPress dashboard, you can also determine whether any login sharing is taking place. Simultaneous sessions with the same username are grouped together, making them easy to identify. You will notice the sessions of the user Mary Jones Smith grouped together in the below screenshot.
One thing worth pointing out here is the IP. If multiple sessions have the same IP address, it is likely the user logged in without logging out of their previous sessions. Different IPs are a strong indicator of password sharing.
You can also terminate a session by clicking the Terminate Session button next to the session in question.
Of course, WP Activity Log also keeps a record of simultaneous sessions in the log, which can be referenced at any time. Here, you’ll find two distinct events of interest:
- Event ID 1004 keeps a record of a blocked user session
- Event ID 1005 keeps a record of simultaneous sessions with the same username
Since the plugin keeps a log of such events, you can use the built-in instant notifications & alerts to configure notifications and receive an email when events with ID 1004 or 1005 are recorded in the WordPress activity log.
Improve your WordPress user management
WordPress is undoubtedly the premier content management system for webmasters. However, you need to take steps to shore up your defenses in order to protect the integrity of your website and business.
In many cases, that will involve educating your users on best practices. You need to educate everyone, including your employees and customers. As the number of users grows, there’s bound to be a few that disregard your policies. This could leave your site open to outside threats.
Furthermore, if you operate an online business, many of your employees may work remotely. In which case, how can you track the changes they’re making to your WordPress website without specialist software that informs you? By the same token, how can you measure their performance?
In both cases, specialist plugins can provide the answer. They’re cost-effective, simple to install, and take just a few minutes of your time to configure.
By installing Melapress Login Security and WP Activity Log, you can better manage your website users by:
- Enforcing minimum password strengths to prevent malicious hacking attempts
- Locking out old or dormant users that present a high threat level
- Monitoring the actions of all users in real-time
- Receive alerts to significant changes to the settings of your WordPress website and user profiles
- Restrict the number of simultaneous logins on one account
WordPress user management – an ongoing process
WordPress user management is an important part of managing and securing your WordPress websites. While WordPress does provide basic functionality for managing users, you’ll also find a slew of free user management plugins as well as premium ones to help you do light work of this ongoing task.
As is always the case, start with figuring out your requirements first. This will help you understand if you need a WordPress user management plugin, a role editing plugin, or a login security plugin.
Frequently Asked Questions
WordPress has several features and tools that can help you manage users, including the default roles and user account options. However, you can increase the effectiveness of your WordPress user management through plugins. With plugins, you get tools such as role editors, login time restrictions, session management, password policies, and much more.
Melapress Login Security and WP Activity Log are great plugins that help you effectively manage users. Both plugins are covered in the article, along with other options that will help you make your WordPress user management a resounding success.
You can easily track users using WP Activity Log. This comprehensive plugin logs user activities across WordPress and many 3rd party plugins such as WooCommerce, MemeberPress, and many others. You can get the basic free plugin or opt for the premium edition for even more features.