WordPress User Management | OpsBlu Docs

WordPress User Management

Manage WordPress user accounts, roles, permissions, and access control for your website

WordPress includes a robust user management system with predefined roles and granular permissions. This guide covers WordPress-specific user administration for sites, stores, and multisite networks.

WordPress User System Overview

User Hierarchy

WordPress organizes users by roles with different capabilities:

  1. Super Admin (Multisite only) - Network-wide control
  2. Administrator - Full site control
  3. Editor - Content publishing and management
  4. Author - Publish own posts
  5. Contributor - Write posts, no publishing
  6. Subscriber - Profile and comments only
  7. Custom Roles - Plugin-defined roles (WooCommerce Customer, Member, etc.)

Access Levels

Frontend vs. Backend:

  • Frontend - Public-facing website (all users can view)
  • Backend (wp-admin) - Dashboard access (Subscriber and above)

Content Permissions:

  • Read - View content
  • Edit - Modify content
  • Delete - Remove content
  • Publish - Make content live

Core User Management Tasks

Common Scenarios

  1. Add New Team Member - Grant appropriate role for their responsibilities
  2. Client Access - Provide limited Editor/Author access for content updates
  3. Agency/Contractor - Temporary Administrator access with MFA
  4. Customer Accounts - WooCommerce Customers for order management
  5. Remove Departing User - Reassign content, revoke access
  6. Audit User Permissions - Regular reviews for security

Best Practices

Security:

  • Enforce strong passwords (WordPress default password strength meter)
  • Enable Two-Factor Authentication (2FA plugin recommended)
  • Limit Administrator accounts to essential personnel
  • Use Author/Editor roles for content teams
  • Subscriber role for users who only need profile access

Governance:

  • Document why each user has access
  • Set review dates for temporary access
  • Use application passwords for API access (WordPress 5.6+)
  • Disable user accounts instead of deleting (preserves content attribution)

WooCommerce:

  • Customer role created automatically on checkout
  • Separate from WordPress admin roles
  • Use Shop Manager for store operations without full site access

Accessing User Management

WordPress Dashboard

wp-admin → Users

Options:
- All Users - List all user accounts
- Add New - Create new user
- Profile - Edit your own account

Via Functions/Code

// Get user by ID
$user = get_user_by('id', 123);

// Get user by email
$user = get_user_by('email', 'user@example.com');

// Get user by login
$user = get_user_by('login', 'username');

// Get current logged-in user
$current_user = wp_get_current_user();

// Check user capabilities
if (current_user_can('edit_posts')) {
    // User can edit posts
}

WP-CLI (Command Line)

# List all users
wp user list

# Get user details
wp user get 123

# Create user
wp user create johndoe john@example.com --role=editor

# Update user role
wp user update 123 --role=author

# Delete user (reassign content to user 1)
wp user delete 123 --reassign=1

WordPress Roles Explained

See Roles & Permissions for detailed breakdown of each role's capabilities.

Quick Reference:

Role Key Capabilities Use Case
Super Admin Network management Multisite network owner
Administrator Full site control Site owner, lead developer
Editor Publish all content Content manager, marketing lead
Author Publish own posts Blog contributor, content writer
Contributor Write posts, no publish Guest writer, intern
Subscriber Profile only Registered user, newsletter subscriber
Shop Manager Manage WooCommerce Store manager (WooCommerce)
Customer Order history WooCommerce purchaser

User Management Workflows

Adding Users

See Adding & Removing Users for step-by-step instructions.

Methods:

  1. wp-admin UI - Individual user creation
  2. Email invitation - User sets own password
  3. Bulk import - CSV import via plugin
  4. Programmatic - wp_create_user() or wp_insert_user()

Considerations:

  • Choose minimal required role
  • Enforce strong passwords or email invitation
  • Enable MFA for admin/editor accounts
  • Set review date for temporary access

Modifying User Roles

Change via Dashboard:

Users → All Users → Hover over username → Edit
Change: Role dropdown → Update User

Change programmatically:

$user = new WP_User(123);
$user->set_role('editor');

Removing Users

See Adding & Removing Users for detailed removal process.

Important: When deleting a user, you must choose:

  • Delete all content - Removes posts, pages authored by user
  • Attribute content to another user - Reassigns to existing user (recommended)

Alternative to deletion:

// Disable user without deleting (custom plugin/function)
update_user_meta(123, 'account_disabled', true);
$user->set_role(''); // Remove all roles

Multisite User Management

Network-Level Users

Super Admin:

  • Only role that can create/delete sites in network
  • Access to Network Admin panel
  • Can administer all sites in network

Regular Users:

  • Can be added to multiple sites with different roles
  • Profile exists network-wide, permissions per-site

Managing Users Across Sites

Add User to Multiple Sites:

// Add user to site ID 2 as Editor
add_user_to_blog(2, 123, 'editor');

// Remove user from site ID 3
remove_user_from_blog(123, 3);

Network Admin → Users:

  • View all network users
  • Add users to specific sites
  • Remove users from sites
  • Delete users network-wide

WooCommerce User Management

Customer Accounts

Customer Role:

  • Created automatically on first purchase
  • Can view order history, track shipments
  • Manage billing/shipping addresses
  • No wp-admin access (frontend only)

Managing Customers:

WooCommerce → Customers
- View customer list
- Filter by order count, total spent
- Edit customer details
- View order history

Shop Manager Role

Capabilities:

  • Manage products, orders, coupons
  • View reports
  • Cannot install plugins or themes
  • Cannot manage other users

Ideal for:

  • Store employees
  • Fulfillment teams
  • Customer service reps

Programmatic Customer Creation

// Create WooCommerce customer
$customer = new WC_Customer();
$customer->set_email('customer@example.com');
$customer->set_first_name('John');
$customer->set_last_name('Doe');
$customer->set_billing_address_1('123 Main St');
$customer->save();

User Data & Privacy

GDPR Compliance

WordPress includes GDPR tools (since WP 4.9.6):

Personal Data Export:

Tools → Export Personal Data
Enter user email → Send request → User receives download link

Personal Data Erasure:

Tools → Erase Personal Data
Enter user email → Send request → User confirms → Data erased

What's included:

  • User profile data
  • Comments
  • WooCommerce order data (if applicable)
  • Plugin data (if plugin supports)

Managing User Data

// Get user meta
$phone = get_user_meta(123, 'billing_phone', true);

// Update user meta
update_user_meta(123, 'billing_phone', '555-1234');

// Delete user meta
delete_user_meta(123, 'old_meta_key');

Security Enhancements

Two-Factor Authentication (2FA)

Recommended Plugins:

  • Two Factor (WordPress.org) - Simple, free
  • WP 2FA - User-friendly setup wizard
  • Wordfence Login Security - Includes 2FA

Implementation:

1. Install Two Factor plugin
2. Users → Your Profile → Two-Factor Options
3. Scan QR code with authenticator app
4. Save backup codes

Application Passwords

For API access without exposing main password (WordPress 5.6+):

Users → Profile → Application Passwords
Name: "Mobile App Access"
Click: Add New Application Password
Copy: Generated password (only shown once)

Use cases:

  • Mobile apps
  • Third-party integrations
  • Automated scripts
  • REST API access

Login Security

Best Practices:

// Limit login attempts (plugin or custom code)
// Change login URL (plugin: WPS Hide Login)
// Disable XML-RPC if not needed
add_filter('xmlrpc_enabled', '__return_false');

// Force logout after inactivity
add_action('init', 'auto_logout_after_inactivity');
function auto_logout_after_inactivity() {
    $timeout = 1800; // 30 minutes
    if (is_user_logged_in()) {
        if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
            wp_logout();
        }
        $_SESSION['last_activity'] = time();
    }
}

Recommended Plugins:

  • Limit Login Attempts Reloaded
  • Wordfence Security
  • iThemes Security

Custom User Roles & Capabilities

Creating Custom Roles

// Add custom role with specific capabilities
add_role(
    'content_reviewer',
    'Content Reviewer',
    array(
        'read' => true,
        'edit_posts' => true,
        'edit_published_posts' => false,
        'publish_posts' => false,
        'delete_posts' => false
    )
);

Modifying Existing Roles

// Add capability to existing role
$role = get_role('editor');
$role->add_cap('edit_theme_options'); // Access to Appearance menu

// Remove capability
$role->remove_cap('edit_theme_options');

Checking Capabilities

// Check if current user can perform action
if (current_user_can('edit_posts')) {
    // Show edit UI
}

// Check specific user
$user = get_user_by('id', 123);
if ($user->has_cap('delete_users')) {
    // User can delete other users
}

Custom Capabilities Plugin:

  • User Role Editor - GUI for managing roles/capabilities
  • Members - Advanced role/capability management
  • PublishPress Capabilities - Fine-grained permission control

User Management Plugins

Essential Plugins

User Registration & Profiles:

  • Ultimate Member - Frontend profiles, registration
  • ProfilePress - User registration, login, profiles
  • BuddyPress - Social networking features

Role Management:

  • User Role Editor - Modify roles and capabilities
  • Members - Role management, content restrictions
  • Advanced Access Manager - Granular access control

User Import/Export:

  • Import Users from CSV - Bulk user creation
  • Export Users to CSV - Backup user data

WooCommerce-Specific

  • WooCommerce (core) - Customer role, shop manager
  • WooCommerce Memberships - Subscription-based access
  • WooCommerce Points and Rewards - Customer loyalty

Monitoring User Activity

Activity Logs

Recommended Plugins:

  • WP Activity Log - Track all user actions
  • Simple History - User activity logging
  • Stream - Activity monitoring

What to track:

  • User login/logout
  • Post/page creation/editing
  • Plugin/theme installation
  • User creation/deletion
  • Settings changes

User Session Management

// Get all active sessions for user
$sessions = WP_Session_Tokens::get_instance(123);
$sessions->get_all();

// Destroy all sessions (force logout everywhere)
$sessions->destroy_all();

User Switching Plugin:

  • User Switching - Switch between user accounts for testing

Troubleshooting User Issues

User Can't Login

Check:

  • Password correct (use "Lost your password?" link)
  • Account not disabled/deleted
  • Email not changed without updating login
  • Database connection working
  • Cookies enabled in browser

User Missing Capabilities

// Debug user capabilities
$user = wp_get_current_user();
echo '<pre>';
print_r($user->allcaps);
echo '</pre>';

Content Not Attributed to Correct Author

// Change post author
wp_update_post(array(
    'ID' => 456, // Post ID
    'post_author' => 123 // New author user ID
));

Next Steps

Back to top