The best way to secure your WordPress users in 2020 is by using a strong password and two-factor authentication. That seems pretty straightforward, right? The reality is that WordPress user security is a bit more nuanced.
Whenever we talk about user security, we often hear questions like, should every WordPress user have the same security requirements, and how much security is too much security?
Don’t worry. We answer all of these questions. But first, let’s talk about the different types of WordPress users.
What are the different types of WordPress users?
There are 5 different default WordPress users.
Note: WordPress multi-sites have a sixth user. The Super Administrator has all access to the site network administration features and all other features. They can create new and remove sites on the network as well as manage the network’s users, plugins, and themes.
Each user has different capabilities. The capabilities dictate what they can do once they access the dashboard. Read more about WordPress user roles and permissions.
The Potential Damage of Different Hacked WP Users
Before we can understand how to secure our WordPress users, we must first understand the threat level of each type of compromised user. The type and level of damage an attacker can inflict varies greatly depending on the roles and capabilities of the user they hack.
Administrator – Threat Level High
Administrator users have the capabilities to whatever they want.
- Create, remove, and modify users.
- Install, remove, and edit plugins and themes.
- Create, remove, and edit all posts and pages.
- Publish and unpublish posts and pages.
- Add and remove media.
If a hacker can get their hands on one of your site’s Administrators, they could hold your website for ransom. Ransomware refers to when a hacker takes over your website and won’t release it back to you unless you pay them a hefty fee.
The average downtime of a ransomware attack is 9.5 days. How much revenue would 10 days of NO sales cost you?
Editor – Threat Level High
The Editor manages all of the website’s content. These users still have quite a bit of power.
- Create, delete, and edit all posts and pages.
- Publish and unpublish all posts and pages.
- Upload media files.
- Manage all links.
- Manage comments.
- Manage categories.
If an attacker took control of an Editor’s
This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.