Prefer a video? See User Access on our Learn WordPress page.
It’s a good idea to review who has access to your WordPress site—and what level of access they have—on a regular basis. We always conduct a brief user security audit when we work on a new site and suggest checking in on this quarterly.
User Security Audit
- Log in to WordPress and navigate to the Users section.
- Review each user, ensure you know who they are and that they still require access to WordPress.
- When you delete a user you will need to reassign their content to another user, WordPress will walk you through that as you delete them.
- Review access levels.
- Specifically, review who has Admin access. This is the top-level of access and should be reserved for only your web project leads and web/SEO agency/agencies. These users can install plugins and update the core—neither of which should be done lightly or by someone who doesn’t have experience doing so.
- You maybe have hosting or plugins that require a user login—we see this most often with WPEngine. Leave those users or your reporting functionality can break.
- To learn more about WordPress access levels please visit https://wordpress.org/support/article/roles-and-capabilities/