The most sophisticated server hardening in the world doesn’t matter if an attacker guesses an admin
password. I learned this lesson when a client’s site was compromised not through a technical
vulnerability but because a former employee’s account still had administrator access—and that
account used a weak password from a data breach.
User access management is the foundation of WordPress security. Most successful WordPress compromises
trace back to weak passwords, excessive permissions, or compromised credentials. Technical
vulnerabilities in WordPress core are rare and quickly patched; the consistent weak point is human
factors.
This guide covers the three pillars of WordPress user security: properly configuring user roles
(least privilege), enforcing strong password practices, and implementing two-factor authentication.
Master these fundamentals and you’ve addressed the majority of real-world WordPress attack vectors.
Understanding WordPress User Roles
WordPress includes a role-based access control system that determines what each user can do.
Understanding these roles—and using them correctly—is the first step toward secure user management.
Default Role Hierarchy
WordPress defines six default roles with progressively greater permissions:
Subscriber is the most limited role. Subscribers can log in, read content, and manage their own
profile. They cannot create, edit, or publish any content. This role is appropriate for site members
who need login access for commenting or accessing member-only content.
Contributor can write and edit their own posts but cannot publish them. Posts must be approved by
someone with higher permissions. Contributors also cannot upload media files. This role suits guest
writers or team members whose content needs editorial review before publication.
Author can write, edit, and publish their own posts and upload media files. Authors cannot modify
others’ posts or access site settings. This role is appropriate for staff writers responsible for
their own content but not editorial oversight.
Editor has authority over all content. Editors can write, edit, publish, and delete any post—their
own or others’. They can moderate comments and manage categories. Editors cannot access themes,
plugins, or site settings. This role suits content managers responsible for editorial workflow.
Administrator has complete control over a single site. Administrators can manage themes, plugins,
settings, and users in addition to all content capabilities. For single-site WordPress
installations, this is the highest role. Only trusted technical staff should have administrator
access.
Super Admin (multisite only) controls the entire WordPress network. Super Admins can manage all
sites, install themes and plugins at the network level, and create or delete individual sites. This
role exists only on WordPress multisite installations.
The Principle of Least Privilege
The security principle of least privilege states that users should have only the minimum permissions
necessary to perform their tasks. Applying this to WordPress means choosing the most restrictive
role that still allows someone to do their job.
A content writer doesn’t need administrator access—Author or Contributor is sufficient. An SEO
specialist editing meta descriptions doesn’t need to manage plugins—Editor role handles content
adequately. A newsletter subscriber certainly doesn’t need anything beyond Subscriber role.
Least privilege limits damage when accounts are compromised. If an attacker gains access to an Author
account, they can only affect that author’s posts. If they gain access to an Administrator account,
they own the entire site. By limiting permissions, you limit the blast radius of any single
compromise.
Common Role Assignment Mistakes
The most common mistake I see is making everyone an administrator “for convenience.” This seems
easier than figuring out proper roles, but it means every compromised password gives complete site
access.
Another mistake is using shared accounts. When five people share one admin account, you lose
accountability (who made what change?), and you can’t revoke one person’s access without affecting
everyone. Create individual accounts for every person.
A third mistake is permanent access. When contractors, former employees, or guest writers finish
their work, their accounts should be deleted or demoted to Subscriber. Stale accounts with elevated
permissions are attack vectors waiting to be exploited.
Creating Custom User Roles
Default roles don’t always match your workflow needs. WordPress allows creating custom roles with
specific capability combinations.
When Custom Roles Make Sense
Custom roles bridge gaps between default roles. An SEO manager might need to edit all posts (like an
Editor) plus access SEO plugin settings (normally Administrator-only) but shouldn’t install plugins.
A shop manager in WooCommerce might need order and product management without access to WordPress
settings.
Creating a custom role is better than elevating someone to Administrator and hoping they don’t touch
things they shouldn’t. Custom roles enforce boundaries technically rather than relying on user
discipline.
Implementing Custom Roles
You can create custom roles with code in your theme’s functions.php or a site-specific plugin. The
approach involves calling add_role() with the role name, display name, and array of capabilities.
Capabilities are granular permissions like edit_posts, publish_posts, manage_options,
install_plugins, and many more. WordPress core defines dozens of capabilities, and plugins often add
their own.
Start by identifying which capabilities the role needs. Look at existing roles as templates—if your
role is “Editor plus SEO plugin access,” start with Editor capabilities and add SEO-specific ones.
Role creation code typically runs once during plugin activation or theme setup. After creating the
role, it persists in the database until explicitly removed. Running add_role() repeatedly doesn’t
cause problems—WordPress ignores the call if the role already exists—but it’s cleaner to run only
when needed.
User Role Editor Plugins
For non-developers, plugins like User Role Editor or Members provide visual interfaces for creating
and modifying roles. These plugins show all available capabilities with checkboxes, making role
creation more accessible.
Be careful when modifying default roles through plugins. Changes to Editor or Author roles affect all
users with those roles. Create new custom roles rather than modifying defaults unless you’re certain
the change should apply universally.
Password Security Fundamentals
Weak passwords are the single most common WordPress attack vector. Brute force attacks, credential
stuffing, and password guessing succeed because people use predictable passwords.
What Makes Passwords Weak
Short passwords are weak regardless of complexity. An 8-character password with uppercase, lowercase,
numbers, and symbols can be cracked faster than a 20-character lowercase phrase. Length matters more
than complexity.
Dictionary words and common patterns are weak. “Password123!” technically meets complexity
requirements but is among the first combinations attackers try. Keyboard patterns (qwerty, 123456),
names, birthdates, and common words provide no security.
Reused passwords are catastrophically weak. When a credential breach exposes username/password pairs,
attackers try those credentials on thousands of other sites. If you used the same password for a
forum that got hacked and your WordPress admin, your site is now compromised.
Strong Password Standards
For WordPress administrator accounts, I recommend minimum 20-character passwords generated randomly.
Length provides exponential security improvement—each additional character multiplies the time
needed to crack by a factor of the character set size.
Random generation eliminates patterns. Humans are terrible at creating random passwords; we
unconsciously use patterns, meaningful numbers, and memorable sequences. Password managers generate
truly random strings that attackers can’t predict.
Unique passwords for every site contain breaches. If your WordPress password is compromised, only
that site is affected. Your email, banking, and other accounts remain secure.
Password Managers
Password managers like 1Password, Bitwarden, or Dashlane solve the impossible problem of remembering
unique, random, long passwords for every account. You remember one master password; the manager
handles everything else.
For teams, password managers enable secure sharing. Instead of emailing passwords or keeping them in
shared documents (both terrible practices), team members access shared passwords through the manager
with proper access controls.
Browser-integrated password managers auto-fill credentials, removing the friction that makes people
choose weak passwords for convenience. When using a strong password is just as easy as using a weak
one, people use strong passwords.
Enforcing Password Policies
WordPress doesn’t enforce password strength by default—it shows a strength indicator and suggests
strong passwords, but users can ignore it. For sites requiring strong passwords, you need
enforcement through code or plugins.
Password policy plugins like iThemes Security, Wordfence, or dedicated options like Password Policy
Manager allow configuring requirements: minimum length, complexity requirements, expiration periods,
and breach database checking.
Consider checking passwords against known breach databases using services like Have I Been Pwned. If
a user tries to set a password that’s appeared in data breaches, reject it—attackers will try that
password.
Implementing Two-Factor Authentication
Two-factor authentication (2FA) is the single most effective protection against account compromise.
Even if attackers know your password, they can’t access your account without the second factor.
How 2FA Defends
Authentication factors fall into three categories: something you know (password), something you have
(phone, hardware key), and something you are (biometrics). 2FA requires factors from two different
categories.
With password-only authentication, attackers who guess, steal, or crack your password have full
access. With 2FA, they also need your phone or hardware key—something they’re unlikely to have
unless they’ve physically targeted you.
Credential stuffing attacks become useless with 2FA. Even if attackers have your exact password from
another breach, they can’t generate the second factor. Brute force attacks are similarly
defeated—guessing the password isn’t enough.
2FA Methods Compared
Hardware security keys (YubiKey, Google Titan) provide the strongest protection. They’re immune to
phishing—even if you enter your password on a fake login page, the hardware key won’t authenticate
because the cryptographic challenge is specific to the real site. The downside is cost (around $50
per key) and the need to carry a physical device.
Authenticator apps (Google Authenticator, Authy, 1Password) generate time-based one-time passwords
(TOTP). These 6-digit codes change every 30 seconds. Security is excellent against remote attacks,
though sophisticated phishing can capture codes in real-time. Authenticator apps are free and work
offline.
SMS codes send one-time passwords via text message. While better than no 2FA, SMS is vulnerable to
SIM swapping attacks where attackers convince mobile carriers to transfer your number to their SIM.
Use SMS only when stronger methods aren’t available.
Email codes are the weakest option—if attackers compromise your email, they can receive login codes.
Only use email 2FA if the email account itself has strong 2FA.
2FA Plugins for WordPress
The Two-Factor plugin is the official WordPress project solution. It supports multiple methods
including TOTP, email, backup codes, and FIDO U2F hardware keys. It integrates cleanly with
WordPress core authentication.
Wordfence includes 2FA as part of its security suite. If you’re already using Wordfence for firewall
and malware scanning, adding its 2FA is convenient. The free version supports TOTP; premium adds
additional features.
WP 2FA is a focused 2FA plugin with a user-friendly setup wizard. It includes enforcement options to
require 2FA for specific roles and grace periods for users to configure their authentication.
For enterprise environments, plugins integrating with existing SSO (Single Sign-On) systems may be
more appropriate, leveraging organizational 2FA infrastructure.
Enforcing 2FA for Administrators
All administrator accounts should require 2FA—no exceptions. A compromised admin account means
complete site takeover. The inconvenience of 2FA is trivial compared to recovering from a breach.
Most 2FA plugins allow role-based enforcement. Configure required 2FA for Administrator and Editor
roles at minimum. Consider requiring it for all logged-in users if your threat model warrants it.
Provide grace periods for initial setup. When enabling mandatory 2FA, give users a few days to
configure it rather than locking them out immediately. After the grace period, accounts without 2FA
should be unable to access admin functions.
Backup Codes
Hardware keys break. Phones get lost. Backup codes provide account recovery when primary 2FA isn’t
available. Generate backup codes when setting up 2FA and store them securely—printed and locked
away, or in a password manager.
Treat backup codes with password-level security. They’re essentially emergency passwords that bypass
2FA. Don’t save them in plain text files or email them to yourself.
Login Security Hardening
Beyond passwords and 2FA, additional measures protect the login process from automated and targeted
attacks.
Limit Login Attempts
Without limits, attackers can try thousands of password combinations. Login limiting plugins block IP
addresses after a number of failed attempts—typically 5-10 failures trigger temporary lockout.
Progressive delays increase lockout duration for repeat offenders. First lockout might be 5 minutes;
subsequent lockouts from the same IP might be hours or permanent. This makes sustained brute force
attacks impractical.
Wordfence, iThemes Security, and Limit Login Attempts Reloaded all provide this functionality. Some
web hosts also implement login limiting at the server level.
Rename or Hide Login URL
WordPress login is at /wp-login.php and /wp-admin/ by default. Every automated attack targets these
URLs. Moving the login to a custom URL stops nothing from determined attackers but eliminates most
automated bot traffic.
Plugins like WPS Hide Login change the login URL to something like /my-secret-login/. This is
security through obscurity—not true security but a practical reduction in attack volume.
Don’t use easily guessable alternatives like /login/ or /admin-login/. Choose something your team can
remember but isn’t obvious.
Disable XML-RPC
XML-RPC is a legacy API that allows remote publishing and other functions. Most sites don’t need it,
but it provides an alternative authentication endpoint that attackers exploit for brute force
attacks—XML-RPC allows testing multiple passwords per request, making attacks more efficient.
If you don’t use XML-RPC (Jetpack requires it; most other workflows don’t), disable it entirely. Add
a filter returning false for xmlrpc_enabled, or block access at the server level.
User Audit and Maintenance
Security isn’t a one-time configuration—it requires ongoing maintenance and periodic audits.
Regular User Audits
Monthly, review your user list. Count administrator accounts—there should be as few as possible,
typically 1-3. Question any admin you don’t recognize or can’t justify.
Check last login dates for all accounts. Users who haven’t logged in for months might be abandoned
accounts. Disabled or deleted accounts can’t be compromised.
Verify 2FA status for privileged accounts. If 2FA is supposedly required, confirm every admin
actually has it configured.
Review roles versus actual job functions. Someone hired as a writer who was temporarily elevated to
Editor for a project might still have Editor access months later. Demote to the minimum necessary
role.
Handling Departures
When someone leaves your organization or project, their access should be revoked immediately—same
day, ideally same hour. Departed users with lingering access are security liabilities.
For content creators, decide whether to delete accounts or reassign content. Deleting an Author
account can transfer their posts to another user. Consider demoting to Subscriber rather than
deleting if you need to preserve account history.
Reset passwords for any shared accounts the departed user knew. Actually, you shouldn’t have shared
accounts—but if you do, rotate credentials immediately.
Session Management
WordPress maintains login sessions that persist across browser sessions. Long-lived sessions are
convenient but extend the exposure window if a device is compromised or shared.
Consider configuring shorter session timeouts for privileged roles. Security plugins and custom code
can force re-authentication after periods of inactivity or at specific intervals.
The “Sessions” section in user profiles shows where accounts are logged in. Users can remotely log
out of other sessions here. Review this periodically to ensure you recognize all active sessions.
Recovering from Account Compromise
If you suspect an account has been compromised—unusual activity, unknown posts, unauthorized
changes—quick action limits damage.
Immediate Response
Reset passwords for all administrator accounts immediately. Don’t just reset the suspected
account—attackers often create backup access. Every admin password changes now.
Review the user list for accounts you didn’t create. Attackers often add administrator accounts for
persistent access. Delete any suspicious accounts immediately.
Check for new plugins or theme modifications. Attackers install plugins containing backdoors or
modify existing files. Review recent plugin installations and scan for file changes.
Force logout of all sessions. WordPress stores sessions in the database; you can invalidate them by
updating user session tokens, forcing everyone to re-authenticate with their new passwords.
Investigation and Cleanup
Determine how the compromise happened. Check access logs for unusual login patterns. Review which
account accessed what. Understanding the attack vector helps you prevent recurrence.
Scan for malware and backdoors. Security Plugins like Wordfence and Sucuri scan files for known
malicious code. Manual review of recently modified files catches custom backdoors.
If you have backups from before the compromise, compare files to identify changes. Not all changes
are malicious, but unauthorized modifications to core, theme, or plugin files are red flags.
Post-Incident Hardening
After cleaning up, implement protections to prevent recurrence. If 2FA wasn’t required, require it
now. If passwords were weak, enforce strong password policies. If an unused account was compromised,
audit and remove all unused accounts.
Document what happened and how you responded. This documentation helps if similar incidents occur and
demonstrates due diligence if breach notification is required.
Conclusion
WordPress user security rests on three pillars: appropriate role assignment (least privilege), strong
password practices, and two-factor authentication. Together, these address the majority of
real-world WordPress attacks.
Assign roles based on what users actually need to do—not convenience, not “just in case.” Use unique,
random, long passwords stored in password managers. Require 2FA for all privileged accounts without
exception.
Maintain security over time through regular user audits, prompt access revocation when people leave,
and ongoing monitoring for suspicious activity. Security isn’t a one-time setup but an ongoing
practice.
These fundamentals aren’t glamorous or technically complex, but they’re what actually protects
WordPress sites in the real world.
admin
Tech enthusiast and content creator.