How to audit your site users

We recommend regularly auditing your user list to ensure nobody has access to the site who no longer needs it and that everyone has the appropriate role for their needs.

Where is the user list?

If you have access to view the user list, you will see it in the WordPress side bar, or via [your site domain]/wp-admin/users.php:

What to think about when conducting a user audit

Look through the users on your list and think about which users could be removed or may need a different role. Here are a few prompts:  

  • Is there anyone on the list who no longer works on website content?
  • Is there anyone on the list who no longer works for your organization?
  • Is there anyone on the list who does not need the level of access they have? Could do what they need to with a more limited user role?

Please make plans to regularly review your user list and re-assign roles as appropriate or remove users who no longer need access to your site.

How to decide which role to assign to each user

WordPress offers several different roles with varying levels of access. A user’s role should be decided on the basis of what level of access they currently need (i.e. not on what they might need in future – roles can always be changed later if necessary).

The below roles are all suitable for any users working on content for your website, please make sure you do not assign users with a higher level of access than necessary:

Editor

Editor = somebody who can publish and manage posts including the posts of other users.

Author

Author = somebody who can publish and manage their own posts.

The Author role is for people who regularly and confidently publish content on your website and do not need sign-off or oversight from another member of staff. This role should be used for users who do not need to edit and publish other users’ work.

Contributor

Contributor = somebody who can write and manage their own posts but cannot publish them.

This role is for someone who is new to using the CMS or who does not regularly post website content. They will be able to create and edit posts which can be checked and then published by someone with the Editor role.

Subscriber

Subscriber = somebody who can only manage their profile.

The Subscriber role is used for someone who:

  • Doesn’t yet have two factor authentication set up
  • is not yet trained on using WordPress

Subscribers don’t have access to the WordPress back end.