One of the features that makes WordPress so attractive to businesses is the different user levels, from administrators to authors to subscribers.
This enables any number of people to contribute to the site, from anywhere in the world.
Users with administrator rights have complete control. They can wreak havoc if they don’t know what they are doing, so naturally you only want people you fully trust to have access to the administration area.
By default, there are five user levels (plugins enable you to create more if you want). Here they are in order of importance and power:
Here is a summary of each user level and its capabilities:
Administrators have full and absolute control. They can shut down a site, update the core files, install, update and delete themes, install, update and delete plugins, create and delete users, publish and delete posts/pages and stop search engines from indexing the site.
There must be at least one account at this level.
Upon installation, WordPress creates a user with the username ‘admin’. If you can change the username at the install stage, do it.
Read this post to found out why and what to do if you already use the ‘admin’ username and want to stop (it’s worth a few minutes of your time).
If you want others to help you at this level you should only ever allow access to people you fully trust.
Editors have a lot of control too, but they don’t can’t to do any major damage to the site (such as do updates or make changes to the core files or change plugins and themes).
Editors have full control over content and can edit, publish and delete posts by any other user, they can also manage categories, manage links, moderate comments and upload files.
Authors have control over their own content. They can create, publish and delete their own posts but they have no control over, or access to pages (find out the difference between posts and pages).
Contributors can’t do much, only edit and delete their own posts.
Subscribers can only read posts.
Customising User Levels
With the aid of a plugin such as User Role Editor you can create custom user levels and you can add or remove certain capabilities from existing user levels. For example, if you want to vet content before it’s published you can remove the ability for any user to publish their own content, or you can stop anyone from uploading files, all you have to do is tick or untick the box associated with each capability.
Using the same plugin, you can assign certain capabilities to individual users.
Here is a screenshot of the Author level in User Role Editor:
The default user role is Subscriber. You can change this to any of the other levels by navigating to Settings > General and making your choice from the drop-down menu.
To upgrade or downgrade an existing user navigate to Users, find the account you want to change, click on the username and select the new user level from the drop-down menu.
During the installation process WordPress creates a user called admin and gives that user full control over the site. Hackers know this and use their knowledge to try to hack WordPress sites. They use software to locate the login page, enter the username admin and a random password – if the password works, they’re in and take control of your site.
For this reason it’s a good idea to delete the admin user account and transfer the posts to another user, or better still, use a username other than admin when installing WordPress.