WordPress: Users or Losers

Administering a WordPress site isn’t easy, and for anyone new to the application that is expecting a straightforward website building experience, they’ll be in for an unpleasant surprise. Whenever dealing with WordPress, it’s always important to remember its original purpose, publishing. That means whether you planned for it or not, user management is a fundamental skill that’s required if you want to have any success with WordPress. So what’s the best way to handle it?

Authentication

The best place to start is understanding the method by which people can access your site. Because WordPress’s core functionality is blogging, the application offers individuals outside of an organization the ability to create profiles, enabling users to follow posts and make comments. Any additional capabilities that are available to these users are managed by the site’s Administrator, which might be a new responsibility for anyone transitioning from Wix or Squarespace.

It all starts with deciding if visitors can create a profile. Yes, that’s correct, admins can toggle the ability for outsiders to create profiles by entering the Settings – General, menu, and checking, or unchecking, the “Anyone can register” option.

WordPress Setting Screen
The Membership Option in General Settings

If administrators decide to enable users to create profiles, it’s a best practice to install additional features that provide assistance with user management. Anti-span tools, as well as adding a second level of authentication, are the first steps in hardening access to WordPress. One of our favorite plugins on this topic is Simple Google reCAPTCHA by Michal Novak.

Setting up a Google Recaptcha Account will take some work, but the effectiveness of the plugin is great, and it’s free to use. ReCAPTCHA technology adds a puzzle to areas of WordPress that contain forms, asking users to complete basic interactions before being able to submit the data. Its addition to the profile creation and contact forms do a great job of preventing an explosion in fake users.

Authorization

After making sure the only people who can access WordPress are authentic, the next step is making sure they aren’t authorized to carry out any nefarious deeds. Every authenticated user is assigned a set of privileges called Capabilities. Capabilities determine if users are able to carry out certain tasks, like creating posts or adding users. Most user’s capabilities are predetermined based on which Role the user has been assigned.

Roles are categories of users that almost all applications use to quickly assign permissions to users. In the case of WordPress, most roles relate to publishing duties, like Author, Editor, and Contributor, but the default Role for new profiles is set to Subscriber. With that in mind, it’s not enough to simply have awareness of Roles, administrators have to know how to manage them.

As more plugins are added to a site, they create a variety of new Roles during the installation process. The plugins create these roles because the preinstalled ones are related to publishing, making them insufficient for their needs. At RTR Digital, we rely on Members, by MemberPress, to manage the Roles within our site.

Accounting

Lastly, there is accounting. Most people always associate the term, “accounting,” with money, but in IT, we use it in a different manner. When it comes to user management, accounting is about creating a log of interactions so administrators can associate them to individual users. For example, if a user changes their password, the application records that action in its log. Later, if that user has an issue with their credentials, the application has a method to show the last time changes were made.

Unfortunately, WordPress doesn’t offer a native feature for accounting, so a plugin is your only option for adding it to the application. Our recommendation is Simple History by Par Thernstrom. Simple History is a lightweight plugin that creates a log of any significant actions in WordPress and displays them on the Dashboard. Adding the Simple History plugin to WordPress will quickly open your eyes to the volume of bad actors in the IT space. Simply tracking the number of times a hacker tries to log in as “admin” will blow your mind, and give you a new perspective on the importance of security.

User Security

In fact, everything in this article is about providing a basic level of security to WordPress. It’s the responsibility of every administrator to provide their users with a level of security that keeps them safe. Even if you aren’t a security expert, the plugins mentioned in this article will get you heading in the right direction.

Information on important topics, like user management, is just a portion of the critical topics we cover in our WordPress Essentials eLearning. If you’re interested in learning more, click here.

WordPress Essentials Preview

Leave a Reply