📖 WordPress Security

Users and User Profiles

Security begins with user access control. WordPress allows you to create users with different levels of access called roles. There are 6 default roles and capabilities that come with WordPress. You can add additional roles if you need them.

  • Super Admin – somebody with access to the site network administration features and all other features.
  • Administrator  – somebody who has access to all the administration features within a single site.
  • Editor  – somebody who can publish and manage posts including the posts of other users.
  • Author – somebody who can publish and manage their own posts.
  • Contributor  – somebody who can write and manage their own posts but cannot publish them.
  • Subscriber  – somebody who can only manage their profile.

By creating users with the appropriate role, you can enhance the security of your site by controlling user access. Get more information about profile settings from WP Beginner.

Security Best Practices

Security is a big topic in WordPress. The developers of WP have spent a lot of time and resources building security into the core application as well as dealing with vulnerabilities that arise from new exploits in the core, plugins and themes. Many of these topics are covered in a variety of articles on site security. You should take some time and review them.

Create new administrative account

  • do not use admin or administrator as the account name
  • create a strong password of 10-15 characters with a mix of letters, numbers and special characters that is not easily guessable
  • log in with this account and disable the default account

Apply patches and updates promptly to prevent security holes - including themes and plugins

  • Use SFTP instead of FTP to connect securely to your blog for file uploads and downloads.
  • Delete unused themes and plugins.

Manage users

  • only give users the access they need
  • you can create custom roles if necessary

Consider installing and using security plugins

Note: You need to be careful and make sure you read all the documentation for these security plugins. Some are very restrictive and you can end up locking yourself out of your site. We are not going to use any of these for this course.

Gravatars

When browsing different web sites, you may notice that many users have a picture next to their name. These pictures are called “avatars.” WordPress, however, uses a specific type of avatar called “Gravatars“–short for “Globally Recognized Avatar.” Unlike standard avatars, gravatars follow you around the web and automatically appear when you post a comment on a WordPress site. WordPress dot org has more information about gravatars.