WordPress is the most popular and pervasive website content management platform on the market, with market share estimated by some to be over 60%. Website owners (or those responsible to maintain their Insurance WordPress sites) can and should manage user access to tasks such as writing and editing, page creation. Category creation, comment moderation, plugin and theme management, user management, by assigning specific roles to all users.
WordPress Predefined Roles:
- Super Admin
- Super Admin: Allows access to all sitewide administration and features. This role should be severely limited, as it is the most powerful, and allows the user to make major site modifications.
- Administrator: Not as powerful as Super Admin, but still has access to all administration features within a single website.
- Editor: Allows users to publish and manage posts, including other users’ posts.
- Author: Allows the user to publish and manage their own posts.
- Contributor: Allows the author to write and manage their own posts but does not allow them to publish the content.
- Subscriber: Read only access, allowing the user to review content and manage their profile.
Leveraging the power of user access helps ensure a more secure WordPress website. Let’s begin by discussing roles and tasks. Each assigned user role allows for a set of tasks to be performed which are called capabilities. There are many capabilities, a few examples include publishing posts, moderating comments, and editing users. Default capabilities are preassigned to each role, but other capabilities can be assigned or removed, allowing for custom user role creation. Greater control and refinements of user roles will improve overall website security and limit the user errors that can cause security breaches.
Website owners can also harden their WordPress sites using Permission Modes. For example, permissions can specify who and what can read, write, modify, and access directories and files. This is important as WordPress may need access to write to files in your wp-content directory for the site to function properly.
FTP access is another area to address to improve website security. For example, if you need a third-party contractor to modify your site or customize a plugin, they may require FTP access. But you do not have to grant them full access to the root directory of your website. Limit access to the specific area they are working on, such as the theme’s directory. Provide support logs if needed instead of granting FTP access to the logs on your site. And make sure the FTP access and password are time limited, expiring in a week or two (as short a duration as possible).