When it’s just you writing on your site, WordPress user management is incredibly basic. You have one user, you, and you do all the things. If you’re a little neurotic, you have one user who is an editor to write all your posts, and one who is an admin to do the admin things, and you religiously log in as the editor.
But when you have a site with multiple authors, how do you handle them and their permissions? And what do you do when they leave?
Lowest Common Denominator
The most important thing to remember with any CMS or tool is to give users the lowest possible permissions. The people who are admins can do anything so they should be restricted to just the people whom you’ve discussed responsible administration, how to handle things, and who the ultimate top technical boss is. The Roles and Capabilities of WordPress can be very daunting, but the summary is very important:
- Super Admin – somebody with access to the site network administration features and all other features
- Administrator – somebody who has access to all the administration features within a single site.
- Editor – somebody who can publish and manage posts including the posts of other users.
- Author – somebody who can publish and manage their own posts.
- Contributor – somebody who can write and manage their own posts but cannot publish them.
- Subscriber – somebody who can only manage their profile.
The Administrative
I strongly recommend limiting your Admin accounts to less than 5. Most people don’t need to be an admin. In fact, the only annoying thing an admin is needed for would be adding new users. Everything else that they can do is, properly, administrative and requires some technical knowhow. You don’t want your copy editor updating a plugin that breaks a site, after all.
Editors are like your moderators. They can approve posts, edit them, handle comments, and more. They cannot install and upgrade code, however, which is good. Admins (should) have server access, after all, not Editors. If you think of it that way, you may go less crazy.
The Writers
Your post writers come in two flavors: Authors and Contributors.
The difference here is minimal but important. A Contributor cannot publish posts, and more importantly they cannot edit posts once published. That makes Contributor a good role for guest posters, or irregulars. If you need to review and approve every post before it’s live, this is the role for your writers. On the other hand, an Author should be someone you trust won’t go back and make naughty changes to posts after they’re approved and published.
The biggest ‘flaw’ in Contributors is that they cannot upload files. This can be annoying, I know. If you need more robust tools for your writers, services like CoSchedule and plugins like Edit Flow may be up your alley.
The Departed
I don’t mean dead. What happens when your writer quits? You don’t want to delete their posts (probably) but you do want to balance their access with your security. The simplest solution is to make them a Subscriber. This means they can just read and leave comments on your site and nothing more. Their posts will still be attributed to them, but they cannot be edited.
Of course, it the departure is less than amicable, another solution is to make them a Subscriber, but then change their email and password. If you use Gmail or GSuites, a super quick email fix is to create an alias like blogadmin+username@gmail.com for your users. For example, if the removed user’s login ID is johnsmith then I would create the email blogmaster+johnsmith@example.com and use that to own the ID. This prevents johnsmith from being able to log in and change his password again.
For cPanel you’ll need to use forwarders and for Plesk you need aliases. Both require setting them up on the server side. Sorry.
Custom User Roles
I say this with a heavy heart. Most sites need to stay away from this. The basic five roles will suffice for most situations, and you should really try them for a while before dismissing. Adding in new users roles in WordPress can end with no one having permission to do anything. If you use custom roles, please be very careful and make sure you know how to restore basic user permissions in a pinch.