is-wordpress-secure

5th June 2016

Following on from Part 3 about usernames and passwords, let me show you a really simple trick that will dramatically improve the security of any WordPress site you’ll ever work with.

You already know that when you set up your WordPress site, the account that you set up for the WordPress site is an Administrator account, and anytime you log in with an Administrator account, you have complete control over everything that’s happening on the site. That also means if you’re not on a secure network and you’re logging into your site, someone could potentially be snooping in on the traffic between your computer and the network and your server, and pick up the username and password you’re using.

This is not very likely, but in the unlikely event that happens, if you’re using your Administrator account, then they’ll have Admin access to your site and you don’t really want that to happen. So here is a small little trick that you can use to avoid that from ever happening again. When you set up your site you’ll always have an Administrator account and that Administrator account needs to be there so that you can administer the site. However, you should also set up a separate account for yourself that is just at the Editor level, and that’s the account you should use to publish any content on your site.

summary-of-wordpress-user-roles

That way, when you log in with your regular user account, which is set to the Editor role, then you can create content, edit content, and publish content, but you can’t administer the site, meaning you can’t change the themes or edit the themes or do anything else major on the site. The Administrator account, as you can see down here, is only for when you want to actually administer the site itself, add plugins, change the theme, or do something with the settings. That way, you’re only logging in as an Administrator when absolutely necessary, and in all the other cases, you’re just logging in as an Editor.

You can also add other people to your site, and if you do that you should always try to use the different user levels according to what they’re going to do. If they’re just going to write content, but they don’t have publishing status, then you should set them as Contributors. If they’re going to write content and be allowed to edit their own content after it’s been published, set them to Author. If they’re allowed to edit other people’s content, then they should be Editors.

administrator-editor-users-screen

And to be honest, the only person who should be the Administrator is the Site Owner or the Site Manager, and that person should have two accounts. One that’s just an Administrator account and the other one that’s an Editor account that’s used anytime something is published. One more piece of information you need to remember. Each WordPress account is tied to an email address, so that means if you’re setting up two accounts for yourself, one Superuser, which is the Administrator, and one regular Editor account that you’re going to publish with, then you should always attribute your regular email address, the one you use for

One more piece of information you need to remember. Each WordPress account is tied to an email address, so that means if you’re setting up two accounts for yourself, one Super Admin, which is the Administrator, and one regular Editor account that you’re going to publish with, then you should always attribute your regular email address, the one you use for gravatars, to the Editor Account. That way, your published content is tied to your gravatar, and the Superuser, the Administrator, is only tied to the Administrator status and nothing else.

So, the next time you log into your WordPress site, if you haven’t done so already, set up a new Administrator Account with a different email address from what you normally have. Then log in as that Administrator and go and downgrade your current active account to Editor status.That way you retain all the posts that were created by that account, and now you don’t run the risk of leaking out the Administrator password any time you log in to your site just to publish new content or edit the content that’s already there.

Part 4 of the WordPress Security Best Practices series;
Part 1 : Is WordPress Secure?
Part 2 : Keeping WordPress up to date
Part 3 : WordPress Backups and Logins
Part 4 : Limit WordPress admin access

About Blueocto

Blueocto is a web design and development company, based in North Tyneside, UK.

We work with sole traders, small and medium-sized businesses.

PI Insurance Broker