Managing Ghost staff involves inviting new users, assigning appropriate roles, transferring content ownership, and securely removing access when needed. This guide covers the complete lifecycle of Ghost staff management with security best practices.
Prerequisites
Before managing Ghost staff:
- Administrator or Owner role - Required to invite/remove staff
- Email configuration - Ghost must send invitation emails (Settings → Email)
- Role understanding - Review Ghost Roles and Permissions
- Approval process - Documented procedure for granting access
Adding New Staff
Step 1: Prepare New User Information
Collect Required Information:
- Full name
- Email address (must be unique, not already used)
- Desired role (Owner, Admin, Editor, Author, Contributor)
- Department/team assignment
- Manager approval documentation
- Start date and expected access duration
Verify Prerequisites:
- Email configuration working (test with your own email)
- User has legitimate business need for Ghost access
- Appropriate role selected (principle of least privilege)
- Approval obtained from manager or department head
Step 2: Send Invitation
Via Ghost Admin Interface
Navigate to Staff Settings
- Log in to Ghost Admin (
yourdomain.com/ghost) - Click Settings (bottom-left gear icon)
- Select Staff from settings menu
- Log in to Ghost Admin (
Click "Invite People"
- Button located in top-right corner
- Opens invitation modal
Enter User Details
- Email address - Enter valid email (required)
- Role - Select from dropdown:
- Owner (not selectable - only transfer)
- Administrator
- Editor
- Author
- Contributor
Send Invitation
- Click Send invitation now
- Ghost sends email with activation link
- Invitation expires after 7 days
Invitation Email Contents:
Subject: You've been invited to join [Site Name]
You've been invited to join [Site Name] as [Role].
[Accept Invitation Button]
This invitation expires in 7 days.
Invitation Best Practices
- Document invitation - Log who invited, when, role, and justification
- Notify user separately - Send context about their role and responsibilities
- Include onboarding - Share documentation, style guides, editorial calendar
- Set expectations - Explain workflow, approval processes, content standards
Step 3: User Accepts Invitation
User Actions:
Receive invitation email
Click Accept Invitation button
Redirected to Ghost setup page
Enter:
- Full name (required)
- Password (minimum 10 characters recommended)
- Optional: Profile photo, bio, location, website
Click Create Account
Redirected to Ghost Admin dashboard
First Login Experience:
- User sees Ghost Admin interface based on role
- Contributor/Author: Content creation focused
- Editor: Full content management
- Admin/Owner: Complete settings access
Step 4: Configure User Profile and Settings
Administrator Actions (Optional but Recommended):
Verify User Profile
- Navigate to Settings → Staff
- Click on new user
- Verify:
- Name spelling correct
- Email accurate
- Role appropriate
- Profile complete
Enable Two-Factor Authentication (Recommended for Admin/Owner)
- User must enable 2FA themselves
- Navigate to user profile → Enable 2FA
- Scan QR code with authenticator app
- Save backup codes securely
Set User Bio and Social Links (Optional)
- Helps with author attribution on posts
- Improves SEO and social sharing
- Creates professional author pages
New User Onboarding Checklist:
- Invitation accepted and account created
- Profile completed (name, bio, photo)
- 2FA enabled (if Admin or Owner)
- Onboarding documentation reviewed
- Test post created (for Authors/Contributors)
- Editorial guidelines acknowledged
- Content calendar access granted
- Communication channels added (Slack, email lists)
Managing Existing Staff
Update User Role
When to Change Roles:
- Promotion or increased responsibilities
- Temporary role elevation for specific project
- Role reduction due to performance or security concerns
- Transition from Contributor → Author after trust established
Steps to Change Role:
- Navigate to Settings → Staff
- Click on user to modify
- Click Edit or role dropdown
- Select new role from dropdown
- Click Save
- User sees new permissions immediately (no re-login required)
Role Change Notifications:
- Ghost does NOT notify user of role changes
- Manually notify user via email or Slack
- Document role change with justification
- Update access control spreadsheet/documentation
Security Considerations:
- Elevating role: Ensure proper approval obtained
- Reducing role: Notify user and document reason
- Temporary elevation: Set calendar reminder to revert role
- Review role changes monthly
Suspend User (Without Deletion)
Ghost doesn't have a native "suspend" feature, but you can effectively suspend users:
Option 1: Change to Contributor Role
- Demote to Contributor (cannot publish)
- Prevents new content publication
- User retains account but limited capabilities
Option 2: Change Email to Invalid Address
- Edit user profile
- Change email to
suspended+[username]@yourdomain.com - User cannot reset password (invalid email)
- Document original email for potential reactivation
Option 3: Use Custom Integration (Self-Hosted)
// Custom webhook to disable login
// Requires custom Ghost integration
When to Suspend Instead of Delete:
- Short-term absence (maternity leave, sabbatical)
- Investigation pending (security incident, policy violation)
- Seasonal contributors (return expected)
- Content attribution preservation needed
Transfer Content Ownership
When to Transfer Content:
- User leaving organization (assign content to remaining staff)
- Reorganization or team changes
- Guest author content to managing editor
- Deleted user cleanup
Steps to Transfer Posts:
Ghost doesn't have bulk transfer. Manual process:
Identify Content to Transfer
- Navigate to Posts
- Filter by author (search bar or author filter)
- List all posts to transfer
Reassign Each Post
- Open post in editor
- Click Settings (gear icon in top-right)
- Scroll to Post Authors
- Remove original author
- Add new author
- Click Update
Verify Transfer
- Check author page (yoursite.com/author/username)
- Ensure posts moved to new author
- Verify bylines correct on posts
Bulk Transfer Options:
Via Ghost Admin API (Self-Hosted):
// Bulk transfer posts from one author to another
const GhostAdminAPI = require('@tryghost/admin-api');
const api = new GhostAdminAPI({
url: 'https://yoursite.com',
key: 'your-admin-api-key',
version: 'v5.0'
});
async function transferPosts(fromAuthorId, toAuthorId) {
const posts = await api.posts.browse({
filter: `authors:[${fromAuthorId}]`,
limit: 'all'
});
for (let post of posts) {
await api.posts.edit({
id: post.id,
authors: [{id: toAuthorId}]
});
console.log(`Transferred: ${post.title}`);
}
}
transferPosts('old-author-id', 'new-author-id');
Via Database (Self-Hosted, DANGEROUS):
-- Update posts_authors table to reassign posts
-- BACKUP DATABASE FIRST
UPDATE posts_authors
SET author_id = 'new-author-id'
WHERE author_id = 'old-author-id';
Content Transfer Best Practices:
- Transfer BEFORE deleting user (prevents content loss)
- Document transfers (who, what, when)
- Notify new author of transferred content
- Update editorial calendar/assignments
Removing Staff
Step 1: Pre-Removal Checklist
Before Removing User:
- Content transferred to remaining staff
- User notified of access removal (if appropriate)
- API keys/tokens revoked (if user had access)
- Webhooks updated if user-specific
- Integration credentials changed (if user knew them)
- 2FA backup codes retrieved or invalidated
- Documentation updated (remove from team lists)
- Access to related tools removed (Stripe, email, etc.)
Export User Data (Optional but Recommended):
- List of all posts authored
- Comments made (if tracked)
- Activity history
- Profile information
Step 2: Remove User from Ghost
Via Ghost Admin Interface
Navigate to Staff Settings
- Ghost Admin → Settings → Staff
Locate User to Remove
- Scroll to user in staff list
- Or use search bar
Click User → Delete/Remove
- Click user name to open profile
- Scroll to bottom
- Click Delete User button (red)
Confirm Deletion
- Warning appears: "Are you sure you want to delete this user?"
- Explains consequences:
- User loses Ghost Admin access immediately
- Content remains (not deleted)
- Action cannot be undone
- Click Delete User to confirm
Immediate Effects:
- User cannot log in to Ghost Admin
- Email removed from staff list
- User profile page (yoursite.com/author/username) remains live
- All authored content remains published
- Comments/activity remain attributed to user
What is NOT Deleted:
- Published posts and pages
- Uploaded media/images
- Author profile page
- Comments (if commenting enabled)
- Activity history/logs
Step 3: Post-Removal Actions
Verify Removal:
- Check Settings → Staff - user gone
- Attempt login with removed user (should fail)
- Check author page - posts still visible but user removed from staff
Clean Up (Optional):
Hide Author Page
- Published content remains
- Author page still accessible
- To hide: Transfer all posts to another author, then author page becomes empty
Update Team Page
- Remove from "About" or "Team" page
- Update contributor lists
- Remove from editorial masthead
Revoke Related Access
- Stripe Dashboard (if they had access)
- Email service (Mailgun, SendGrid)
- Analytics platforms (GA4, etc.)
- Social media accounts
- Design tools (Figma, Canva)
Security Hardening:
- Change shared passwords they knew
- Rotate API keys/tokens
- Review webhooks for user-specific endpoints
- Check code injection for user-added scripts
Owner Removal (Special Case)
Ownership Transfer Required:
Ghost allows only ONE Owner. To "remove" current Owner:
Transfer Ownership First
- Current Owner: Settings → Staff
- Click new Owner user
- Click Transfer Ownership
- Confirm transfer
- Former Owner automatically becomes Administrator
Then Remove Former Owner
- New Owner can now delete former Owner
- Follow standard removal steps above
Ownership Transfer Checklist:
- New Owner accepts ownership
- Billing information updated
- New Owner has 2FA enabled
- New Owner credentials documented securely
- Former Owner downgraded to Admin or removed
- Access to billing/payment methods verified
Bulk User Management
Bulk Invite (Not Native)
Ghost lacks bulk invite UI. Options:
Option 1: Repeat Invitation Process
- Manually invite each user via Settings → Staff
- Time-consuming but reliable
Option 2: Ghost Admin API (Self-Hosted)
const GhostAdminAPI = require('@tryghost/admin-api');
const api = new GhostAdminAPI({
url: 'https://yoursite.com',
key: 'your-admin-api-key',
version: 'v5.0'
});
const newUsers = [
{email: 'author1@example.com', roles: ['Author']},
{email: 'author2@example.com', roles: ['Author']},
{email: 'editor1@example.com', roles: ['Editor']}
];
async function bulkInvite() {
for (let user of newUsers) {
try {
await api.users.invite(user);
console.log(`Invited: ${user.email}`);
} catch (error) {
console.error(`Failed to invite ${user.email}:`, error);
}
}
}
bulkInvite();
Option 3: Import from CSV (Custom Script)
- Requires custom development
- Not officially supported
Bulk Removal
Manual Approach:
- List users to remove
- Transfer content systematically
- Remove users one-by-one
API Approach (Self-Hosted):
const usersToRemove = ['user-id-1', 'user-id-2', 'user-id-3'];
async function bulkRemove() {
for (let userId of usersToRemove) {
try {
await api.users.delete({id: userId});
console.log(`Removed user: ${userId}`);
} catch (error) {
console.error(`Failed to remove ${userId}:`, error);
}
}
}
Access Control Best Practices
Regular Audits
Monthly Review:
- List all staff users
- Verify roles still appropriate
- Check for inactive accounts (no login in 90+ days)
- Remove former employees still listed
Quarterly Deep Audit:
- Review all Administrator and Owner accounts
- Verify 2FA enabled on privileged accounts
- Check for anomalous activity in logs
- Update access documentation
Annual Compliance:
- Full staff list review with HR
- Document all access grants/removals
- Verify against employee roster
- Archive audit trail
Documentation Requirements
Maintain Staff Access Log:
| Date | Action | User Email | Role | Approved By | Reason | Removed Date |
|---|---|---|---|---|---|---|
| 2024-01-15 | Added | author@example.com | Author | Jane (Admin) | New hire - content team | |
| 2024-02-20 | Role Change | author@example.com | Editor | Jane (Admin) | Promotion to managing editor | |
| 2024-06-10 | Removed | contractor@example.com | Contributor | Jane (Admin) | Contract ended | 2024-06-10 |
Include in Documentation:
- Who requested access
- Business justification
- Approval chain
- Date granted
- Initial role
- Any role changes with dates
- Date removed (if applicable)
- Content transferred to (if removed)
Security Incidents
If User Account Compromised:
Immediate Actions:
- Change user password immediately (if Owner/Admin)
- Revoke user access (remove from Ghost)
- Review recent activity logs
- Check for unauthorized content changes
- Verify no integrations added
Investigation:
- Determine scope of compromise
- Check if API keys exposed
- Review code injection for malicious scripts
- Verify member data not accessed
Remediation:
- Restore any damaged content
- Rotate all shared credentials
- Reset API keys/webhooks
- Notify affected users (if member data involved)
Prevention:
- Enforce 2FA on all Admin+ accounts
- Implement IP allowlisting (if available)
- Regular security training
- Audit access quarterly
Ghost(Pro) vs. Self-Hosted
Ghost(Pro)
- User management via Ghost Admin UI only
- No direct database access
- SCIM/SSO available on higher-tier plans
- Support can assist with bulk operations
Self-Hosted
- Full database access (manual user management)
- Can use Ghost Admin API for automation
- Custom authentication possible
- Responsible for security and backups
Common Issues
Issue: Invitation Email Not Received
Solutions:
- Check spam/junk folder
- Verify email configuration (Settings → Email)
- Test with different email provider (Gmail, Outlook)
- Resend invitation (delete and re-invite)
- Check Ghost logs for email errors (self-hosted)
Issue: Cannot Remove User (Owner)
Solution:
- Transfer ownership to another user first
- Then remove former Owner
Issue: Deleted User Content Still Shows
Expected Behavior:
- Ghost retains published content after user deletion
- Author page remains live
- To remove: Transfer all content, then author page empties
Issue: User Locked Out After Role Change
Solution:
- Role changes don't lock users out
- User may need to refresh browser
- Clear browser cache and cookies
- Try logging out and back in
Next Steps
- Ghost Roles and Permissions - Understand permission levels
- User Management Overview - Governance and access control
- Ghost Integrations - Configure tracking and tools