The Ultimate Guide to Adding a New User in WordPress

James Parsons by James Parsons Updated Mar 27th, 2024 11 min read

0:00 Listen to audio podcast

Illustration of Adding Users on WordPress

Users in WordPress are an essential part of managing a website. Even if you're a small business blog and only need one user to publish everything, adding multiple users (and even using secondary users to post) is worthwhile as a security measure.

There are a lot of different security concerns you may have, so this tutorial is a much deeper topic than you might think at first glance. Let's talk about it!

30 Second Summary

WordPress users are important for website management. Even single-user sites benefit from additional users for security. WordPress boasts various user roles including Super Admin, Administrator, Editor, Author, Contributor, and Subscriber, each with differing levels of access and permissions. Adding a new WordPress user requires an admin login, username, email, names, URL, password, and choosing their role. Plugins can aid in managing new users, but always remember to give permission based on requirement for enhanced security. WordPress also allows self-registration.

What are WordPress User Roles?

Before getting into the specific process of how you can add new users and manage the users you have, it's worth it to talk about roles for a moment.

What are roles? Well, most good CRMs allow you to set different users to different levels of permissions. If you hire an intern as a data analyst, you don't want them to have full editing permission for your entire site. You don't want them to be able to do things like edit or delete blog posts, publish content without any warning or pre-approval process, or otherwise do something that could damage your site. So, you give them a lower level of access to your dashboard and information.

You can generally use two kinds of systems to manage account permissions.

  • Some systems use discrete permissions, which you add or remove for various users individually.
  • Others, like WordPress, have pre-defined rules with associated permissions. It's less granular but easier to manage, which is why WordPress uses it.

A new WordPress user can have one of six distinct default user roles.

Default User Roles

These are:

  • Super Admin* (*if multisite is enabled)
  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

These different roles have a decreasing amount of access and permissions from top to bottom:

1. Super Admin

Super Admins are the most all-powerful site owner roles. Your site might not have them, though, so what gives?

Super Admins are Admins, except instead of having Admin powers for one site, they have Admin powers (and management powers) for every website in a multisite setup. In some instances, multisite networks are an exciting and valuable concept, but 99.9% of business owners won't need to care about them.

Super Admin Role Screenshot of User List

So, I'm mostly glossing over this role; you probably don't need it. If you do, check out the link above.

2. Administrator

The administrator role (also known as the Admin role) is your general site owner and manager role. They have just about every possible power, except in the case of multisites, where they're a little more limited, and those powers are the Super Admin's. For single-site installations, the Admin is the owner.

Your primary account is an admin account. Admins can add and remove plugins, add, edit, and delete posts and pages, edit themes, manage other users, create and edit reusable blocks, and so on. They can do anything, inluding deleting or adding new users.

Default Admin Role

Security note: WordPress admin accounts are named "admin" on a fresh installation, and most people don't change this. This default name is a security risk; anyone looking to brute force their way into your site has half the information already if you use the default name. This phenomenon is why it's always a good idea to change the name of your admin account.

3. Editors

Editors play a decisive role in WordPress in terms of blogging and content. They can add, edit, and remove published posts, manage pages, manage and moderate comments, and so on. They essentially have complete control over the content of your site.

They differ from Admins in that Editors do not have access to site-level settings. They can't change themes, manage WordPress plugins, or change site settings or customization options.

4. Authors

Author accounts are pretty limited. They're what you would use if you want to have several authors writing content for your site, publishing under their names, but without giving them access to any other functions of your site. They can write, edit, post, unpublish, and delete their content, but nothing else. They can't edit or alter the content created by another account, and while they can see comments, they can't moderate them.

WordPress Permissions for Blog Authors

They also have zero access to site settings; it's a locked-down role, perfect for people writing fresh content for your site.

Note: It would be best if you didn't assign this to guest post authors, as there's nothing stopping people from editing their own posts and inserting spam or links into them after some time has passed.

5. Contributors

Contributors are like Authors, except slightly more locked down. They can create and edit posts but cannot publish them; they need an editor or above to hit the button to publish content.

This role is suitable for sites where you want editorial oversight over the content your writers create and don't want them to be able to publish on your site freely. Many WordPress websites do this outside the WordPress dashboard, but it's perfectly valid to manage it in-dashboard too.

Pending Review in WordPress

Is your blog earning you business? If not, let's fix that.

We create blog content that converts - not just for ourselves, but for our clients, too.

We pick blog topics like hedge funds pick stocks. Then, we create articles that are 10x better to earn the top spot.

Content marketing has two ingredients - content and marketing. We've earned our black belts in both.

If you run an internet-based business and are looking to scale, schedule a call to speak with our founder:

The biggest drawback is that while Authors can upload files and images to embed in their content, Contributors cannot. So, you'll need someone else to add and edit photos.

Note: This role is the most secure for guest post authors and is recommended for first-time writers or people you do not yet fully trust.

6. Subscribers

Subscribers are just readers who have an account with your site. Under normal circumstances, this does absolutely nothing. However, if you set up a membership portal and member's-only content, subscriber roles with an active membership will be the permission level that can access it, while non-subscriber users cannot.

I don't usually recommend this role – there are better ways to manage membership content, so it's not a heavily-used account setting.

7. Additional Roles

There are a lot of plugins out there that offer various features in WordPress, and some of them add new roles to your site. For example, the popular SEO plugin Yoast adds SEO Editor and SEO Manager roles to your site. These user accounts can edit and manage the SEO settings for your site with various levels of access.

Additional WordPress Roles Example From yoast

Finally, you can always add a custom role to choose individual permissions. For example, say you want an account with permissions somewhere between contributor and author. To do this, you need a plugin that can create new roles for you or some custom code allowing you to add them. You can read more about this here.

All this information is helpful because when you add a new account to WordPress, you need to pick the role the account will fill. Now you know what the roles are and can choose appropriately.

How to Add a New User to WordPress

The actual process for adding a new user in WordPress is quite simple.

Multi Users WordPress

1: Log into your WordPress site's dashboard. Make sure you're logged in as an Admin or Super Admin. Otherwise, you won't be able to add a user.

2: Click "Users" dropdown in the left-hand navigation menu. This section will bring you to the user management page.

3: Click the "Add New" button at the top of the main pane.

4: Fill out the relevant information for the new account. This info includes:

  • Username. This field is the name the user will use to log in and should be a unique identifier for the user. It's also public, so don't choose something you don't want to be visible.
  • Email. This field is the contact email address for the user. Even though you're creating the account, you want their email address so that they can manage it.
  • First Name and Last Name. These customize the display name of the user. You can leave them blank and let the user fill them out later if you want; unlike usernames, users can change them anytime.
  • Website URL. Like the display name, the user can add this later or leave it blank if you don't want your users to link to other sites in their own profiles.
  • Password. This field is the user's password to log into their account. Generate a strong password, and recommend that the user change it once they can log in, just for security. You may also want to enable 2FA on WordPress for added protection.
  • Role. Choose the role the user will have according to your needs above.

At this point, the user will get an email saying their account is set up (unless you unticked that box), and you can give them their information to log in. Simple, right?

Pro tip: Always give users the lowest permissions necessary to do their job. Even if the permissions seem like they would be harmless for a user to have when they don't need them, it's better to restrict access by default than to let users access things they shouldn't be able to. For example, if you have writers working for you and all they do is produce content for your editors to optimize and publish, you can give them a contributor role rather than an author role.

Letting Users Register Themselves

If you don't want to create every new account manually, or if you want to run a membership site where users can register for themselves, you can enable account creation. To do so, click on the "Settings" menu and "General." On this menu, there's a Membership item. You can check the box that says, "Anyone can register." This checkbox allows anyone who visits your site to be able to register an account. If you do this, ensure that the default new user role is a subscriber or other locked-down role.

I generally don't recommend enabling new user registration. First of all, spam bots will happily register new accounts in the hopes of getting access to things like publishing or site settings. Even if they don't have access, having a member list that balloons up can make managing your legitimate users much harder.

Moreover, there are plenty of plugins to manage a membership version of your site that gives you more nuanced and effective control, not to mention anti-spam options, so using the WordPress default doesn't make sense to me.

Helpful Plugins for Managing New Users in WordPress

WordPress has plugins for everything, so it shouldn't be surprising that they have plugins for managing new users.

User Permissions Screenshot From Role Editor

Here are a few helpful plugins you might consider using.

  • User Role Editor – Remember above, when I mentioned that some CRMs allow you to check and uncheck various permissions on a per-user basis, so you can customize the capabilities of each user? And how does WordPress not have that? Well, this plugin gives you that ability. It lets you add new template roles, copy and edit their permissions, and manage capabilities per user. It's robust and free, though it has a paid version with even more management features, like role management widgets and content gating for specific roles.
  • WordPress User Login Notifier – Security is essential, so it can be helpful to know when people are logging into their accounts or when they try and fail. This plugin sends email notifications to various people when a user logs in and when a login attempt fails. You can notify the super admin, the admin, the user, or both. Please don't use it for a membership site. Otherwise, you'll end up spammed with way too many emails on successful logins.
  • Limit Login Attempts Reloaded – Every account can be vulnerable to attack. There are legions of bots out there with nothing better to do than hammer your login page with username and password attempts, either working off leaked password lists or just known credentials that might work. This phenomenon is why changing your default Admin name is a good idea, to make it harder for them to access your high-level accounts.

Limit Login Attempts limit the number of failed attempts an account can use to access it before blocking the IP attempting it for a certain amount of time. It also shows you logs of attempts to get into your site, what usernames they're targeting, what IP addresses are attacking you, and more. All in all, it's beneficial for preventing intrusions without getting in the way of your actual users.

Over to You

Do you have any further questions about adding new users, managing user roles, or account security that I haven't addressed in this post? If so, let me know in the comments, and I'll answer there (and add info to the post if necessary.)

It's all relatively simple and intuitive; you just need to know where to look and the best practices. I'm here to help!

Written by James Parsons

James Parsons is the founder and CEO of Content Powered, a premier content marketing agency that leverages nearly two decades of his experience in content marketing to drive business growth. Renowned for founding and scaling multi-million dollar eCommerce businesses through strategic content marketing, James has become a trusted voice in the industry, sharing his insights in Search Engine Watch, Search Engine Journal, Forbes, Entrepreneur, Inc, and other leading publications. His background encompasses key roles across various agencies, contributing to the content strategies of major brands like eBay and Expedia. James's expertise spans SEO, conversion rate optimization, and effective content strategies, making him a pivotal figure in the industry.