Users in WordPress are an essential part of managing a website. Even if you're a small business blog and only need one user to publish everything, adding multiple users (and even using secondary users to post) is worthwhile as a security measure.

There are a lot of different security concerns you may have, so this tutorial is a much deeper topic than you might think at first glance. Let's talk about it!

What are WordPress User Roles?

Before getting into the specific process of how you can add new users and manage the users you have, it's worth it to talk about roles for a moment.

What are roles? Well, most good CRMs allow you to set different users to different levels of permissions. If you hire an intern as a data analyst, you don't want them to have full editing permission for your entire site. You don't want them to be able to do things like edit or delete blog posts, publish content without any warning or pre-approval process, or otherwise do something that could damage your site. So, you give them a lower level of access to your dashboard and information.

You can generally use two kinds of systems to manage account permissions.

• Some systems use discrete permissions, which you add or remove for various users individually.
• Others, like WordPress, have pre-defined rules with associated permissions. It's less granular but easier to manage, which is why WordPress uses it.

A new WordPress user can have one of six distinct default user roles.

These are:

• Super Admin* (*if multisite is enabled)
• Administrator
• Editor
• Author
• Contributor
• Subscriber

These different roles have a decreasing amount of access and permissions from top to bottom:

1. Super Admin

Super Admins are the most all-powerful site owner roles. Your site might not have them, though, so what gives?

Super Admins are Admins, except instead of having Admin powers for one site, they have Admin powers (and management powers) for every website in a multisite setup. In some instances, multisite networks are an exciting and valuable concept, but 99.9% of business owners won't need to care about them.

So, I'm mostly glossing over this role; you probably don't need it. If you do, check out the link above.

2. Administrator

The administrator role (also known as the Admin role) is your general site owner and manager role. They have just about every possible power, except in the case of multisites, where they're a little more limited, and those powers are the Super Admin's. For single-site installations, the Admin is the owner.

Your primary account is an admin account. Admins can add and remove plugins, add, edit, and delete posts and pages, edit themes, manage other users, create and edit reusable blocks, and so on. They can do anything, inluding deleting or adding new users.

3. Editors

Editors play a decisive role in WordPress in terms of blogging and content. They can add, edit, and remove published posts, manage pages, manage and moderate comments, and so on. They essentially have complete control over the content of your site.

They differ from Admins in that Editors do not have access to site-level settings. They can't change themes, manage WordPress plugins, or change site settings or customization options.

4. Authors

Author accounts are pretty limited. They're what you would use if you want to have several authors writing content for your site, publishing under their names, but without giving them access to any other functions of your site. They can write, edit, post, unpublish, and delete their content, but nothing else. They can't edit or alter the content created by another account, and while they can see comments, they can't moderate them.

They also have zero access to site settings; it's a locked-down role, perfect for people writing fresh content for your site.

5. Contributors

Contributors are like Authors, except slightly more locked down. They can create and edit posts but cannot publish them; they need an editor or above to hit the button to publish content.

This role is suitable for sites where you want editorial oversight over the content your writers create and don't want them to be able to publish on your site freely. Many WordPress websites do this outside the WordPress dashboard, but it's perfectly valid to manage it in-dashboard too.

The biggest drawback is that while Authors can upload files and images to embed in their content, Contributors cannot. So, you'll need someone else to add and edit photos.

6. Subscribers

Subscribers are just readers who have an account with your site. Under normal circumstances, this does absolutely nothing. However, if you set up a membership portal and member's-only content, subscriber roles with an active membership will be the permission level that can access it, while non-subscriber users cannot.

I don't usually recommend this role – there are better ways to manage membership content, so it's not a heavily-used account setting.

7. Additional Roles

There are a lot of plugins out there that offer various features in WordPress, and some of them add new roles to your site. For example, the popular SEO plugin Yoast adds SEO Editor and SEO Manager roles to your site. These user accounts can edit and manage the SEO settings for your site with various levels of access.

Finally, you can always add a custom role to choose individual permissions. For example, say you want an account with permissions somewhere between contributor and author. To do this, you need a plugin that can create new roles for you or some custom code allowing you to add them. You can read more about this here.

All this information is helpful because when you add a new account to WordPress, you need to pick the role the account will fill. Now you know what the roles are and can choose appropriately.

How to Add a New User to WordPress

The actual process for adding a new user in WordPress is quite simple.

1: Log into your WordPress site's dashboard. Make sure you're logged in as an Admin or Super Admin. Otherwise, you won't be able to add a user.

2: Click "Users" dropdown in the left-hand navigation menu. This section will bring you to the user management page.

3: Click the "Add New" button at the top of the main pane.

4: Fill out the relevant information for the new account. This info includes:

• Username. This field is the name the user will use to log in and should be a unique identifier for the user. It's also public, so don't choose something you don't want to be visible.
• Email. This field is the contact email address for the user. Even though you're creating the account, you want their email address so that they can manage it.
• First Name and Last Name. These customize the display name of the user. You can leave them blank and let the user fill them out later if you want; unlike usernames, users can change them anytime.
• Website URL. Like the display name, the user can add this later or leave it blank if you don't want your users to link to other sites in their own profiles.
• Password. This field is the user's password to log into their account. Generate a strong password, and recommend that the user change it once they can log in, just for security. You may also want to enable 2FA on WordPress for added protection.
• Role. Choose the role the user will have according to your needs above.

At this point, the user will get an email saying their account is set up (unless you unticked that box), and you can give them their information to log in. Simple, right?

Letting Users Register Themselves

If you don't want to create every new account manually, or if you want to run a membership site where users can register for themselves, you can enable account creation. To do so, click on the "Settings" menu and "General." On this menu, there's a Membership item. You can check the box that says, "Anyone can register." This checkbox allows anyone who visits your site to be able to register an account. If you do this, ensure that the default new user role is a subscriber or other locked-down role.

I generally don't recommend enabling new user registration. First of all, spam bots will happily register new accounts in the hopes of getting access to things like publishing or site settings. Even if they don't have access, having a member list that balloons up can make managing your legitimate users much harder.

Moreover, there are plenty of plugins to manage a membership version of your site that gives you more nuanced and effective control, not to mention anti-spam options, so using the WordPress default doesn't make sense to me.

Helpful Plugins for Managing New Users in WordPress

WordPress has plugins for everything, so it shouldn't be surprising that they have plugins for managing new users.

Here are a few helpful plugins you might consider using.

• User Role Editor – Remember above, when I mentioned that some CRMs allow you to check and uncheck various permissions on a per-user basis, so you can customize the capabilities of each user? And how does WordPress not have that? Well, this plugin gives you that ability. It lets you add new template roles, copy and edit their permissions, and manage capabilities per user. It's robust and free, though it has a paid version with even more management features, like role management widgets and content gating for specific roles.
• WordPress User Login Notifier – Security is essential, so it can be helpful to know when people are logging into their accounts or when they try and fail. This plugin sends email notifications to various people when a user logs in and when a login attempt fails. You can notify the super admin, the admin, the user, or both. Please don't use it for a membership site. Otherwise, you'll end up spammed with way too many emails on successful logins.
• Limit Login Attempts Reloaded – Every account can be vulnerable to attack. There are legions of bots out there with nothing better to do than hammer your login page with username and password attempts, either working off leaked password lists or just known credentials that might work. This phenomenon is why changing your default Admin name is a good idea, to make it harder for them to access your high-level accounts.

Limit Login Attempts limit the number of failed attempts an account can use to access it before blocking the IP attempting it for a certain amount of time. It also shows you logs of attempts to get into your site, what usernames they're targeting, what IP addresses are attacking you, and more. All in all, it's beneficial for preventing intrusions without getting in the way of your actual users.

Over to You

Do you have any further questions about adding new users, managing user roles, or account security that I haven't addressed in this post? If so, let me know in the comments, and I'll answer there (and add info to the post if necessary.)

It's all relatively simple and intuitive; you just need to know where to look and the best practices. I'm here to help!