WordPress User Management

WordPress includes a robust user management system with predefined roles and granular permissions. This guide covers WordPress-specific user administration for sites, stores, and multisite networks.

WordPress User System Overview

User Hierarchy

WordPress organizes users by roles with different capabilities:

1. Super Admin (Multisite only) - Network-wide control
2. Administrator - Full site control
3. Editor - Content publishing and management
4. Author - Publish own posts
5. Contributor - Write posts, no publishing
6. Subscriber - Profile and comments only
7. Custom Roles - Plugin-defined roles (WooCommerce Customer, Member, etc.)

Access Levels

Frontend vs. Backend:

• Frontend - Public-facing website (all users can view)
• Backend (wp-admin) - Dashboard access (Subscriber and above)

Content Permissions:

• Read - View content
• Edit - Modify content
• Delete - Remove content
• Publish - Make content live

Core User Management Tasks

Common Scenarios

1. Add New Team Member - Grant appropriate role for their responsibilities
2. Client Access - Provide limited Editor/Author access for content updates
3. Agency/Contractor - Temporary Administrator access with MFA
4. Customer Accounts - WooCommerce Customers for order management
5. Remove Departing User - Reassign content, revoke access
6. Audit User Permissions - Regular reviews for security

Best Practices

Security:

• Enforce strong passwords (WordPress default password strength meter)
• Enable Two-Factor Authentication (2FA plugin recommended)
• Limit Administrator accounts to essential personnel
• Use Author/Editor roles for content teams
• Subscriber role for users who only need profile access

Governance:

• Document why each user has access
• Set review dates for temporary access
• Use application passwords for API access (WordPress 5.6+)
• Disable user accounts instead of deleting (preserves content attribution)

WooCommerce:

• Customer role created automatically on checkout
• Separate from WordPress admin roles
• Use Shop Manager for store operations without full site access

Accessing User Management

WordPress Dashboard

wp-admin → Users

Options:
- All Users - List all user accounts
- Add New - Create new user
- Profile - Edit your own account

Via Functions/Code

// Get user by ID
$user = get_user_by('id', 123);

// Get user by email
$user = get_user_by('email', 'user@example.com');

// Get user by login
$user = get_user_by('login', 'username');

// Get current logged-in user
$current_user = wp_get_current_user();

// Check user capabilities
if (current_user_can('edit_posts')) {
    // User can edit posts
}

WP-CLI (Command Line)

# List all users
wp user list

# Get user details
wp user get 123

# Create user
wp user create johndoe john@example.com --role=editor

# Update user role
wp user update 123 --role=author

# Delete user (reassign content to user 1)
wp user delete 123 --reassign=1

WordPress Roles Explained

See Roles & Permissions for detailed breakdown of each role's capabilities.

Quick Reference:

User Management Workflows

Adding Users

See Adding & Removing Users for step-by-step instructions.

Methods:

1. wp-admin UI - Individual user creation
2. Email invitation - User sets own password
3. Bulk import - CSV import via plugin
4. Programmatic - wp_create_user() or wp_insert_user()

Considerations:

• Choose minimal required role
• Enforce strong passwords or email invitation
• Enable MFA for admin/editor accounts
• Set review date for temporary access

Modifying User Roles

Change via Dashboard:

Users → All Users → Hover over username → Edit
Change: Role dropdown → Update User

Change programmatically:

$user = new WP_User(123);
$user->set_role('editor');

Removing Users

See Adding & Removing Users for detailed removal process.

Important: When deleting a user, you must choose:

• Delete all content - Removes posts, pages authored by user
• Attribute content to another user - Reassigns to existing user (recommended)

Alternative to deletion:

// Disable user without deleting (custom plugin/function)
update_user_meta(123, 'account_disabled', true);
$user->set_role(''); // Remove all roles

Multisite User Management

Network-Level Users

Super Admin:

• Only role that can create/delete sites in network
• Access to Network Admin panel
• Can administer all sites in network

Regular Users:

• Can be added to multiple sites with different roles
• Profile exists network-wide, permissions per-site

Managing Users Across Sites

Add User to Multiple Sites:

// Add user to site ID 2 as Editor
add_user_to_blog(2, 123, 'editor');

// Remove user from site ID 3
remove_user_from_blog(123, 3);

Network Admin → Users:

• View all network users
• Add users to specific sites
• Remove users from sites
• Delete users network-wide

WooCommerce User Management

Customer Accounts

Customer Role:

• Created automatically on first purchase
• Can view order history, track shipments
• Manage billing/shipping addresses
• No wp-admin access (frontend only)

Managing Customers:

WooCommerce → Customers
- View customer list
- Filter by order count, total spent
- Edit customer details
- View order history

Shop Manager Role

Capabilities:

• Manage products, orders, coupons
• View reports
• Cannot install plugins or themes
• Cannot manage other users

Ideal for:

• Store employees
• Fulfillment teams
• Customer service reps

Programmatic Customer Creation

// Create WooCommerce customer
$customer = new WC_Customer();
$customer->set_email('customer@example.com');
$customer->set_first_name('John');
$customer->set_last_name('Doe');
$customer->set_billing_address_1('123 Main St');
$customer->save();

User Data & Privacy

GDPR Compliance

WordPress includes GDPR tools (since WP 4.9.6):

Personal Data Export:

Tools → Export Personal Data
Enter user email → Send request → User receives download link

Personal Data Erasure:

Tools → Erase Personal Data
Enter user email → Send request → User confirms → Data erased

What's included:

• User profile data
• Comments
• WooCommerce order data (if applicable)
• Plugin data (if plugin supports)

Managing User Data

// Get user meta
$phone = get_user_meta(123, 'billing_phone', true);

// Update user meta
update_user_meta(123, 'billing_phone', '555-1234');

// Delete user meta
delete_user_meta(123, 'old_meta_key');

Security Enhancements

Two-Factor Authentication (2FA)

Recommended Plugins:

• Two Factor (WordPress.org) - Simple, free
• WP 2FA - User-friendly setup wizard
• Wordfence Login Security - Includes 2FA

Implementation:

1. Install Two Factor plugin
2. Users → Your Profile → Two-Factor Options
3. Scan QR code with authenticator app
4. Save backup codes

Application Passwords

For API access without exposing main password (WordPress 5.6+):

Users → Profile → Application Passwords
Name: "Mobile App Access"
Click: Add New Application Password
Copy: Generated password (only shown once)

Use cases:

• Mobile apps
• Third-party integrations
• Automated scripts
• REST API access

Login Security

Best Practices:

// Limit login attempts (plugin or custom code)
// Change login URL (plugin: WPS Hide Login)
// Disable XML-RPC if not needed
add_filter('xmlrpc_enabled', '__return_false');

// Force logout after inactivity
add_action('init', 'auto_logout_after_inactivity');
function auto_logout_after_inactivity() {
    $timeout = 1800; // 30 minutes
    if (is_user_logged_in()) {
        if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
            wp_logout();
        }
        $_SESSION['last_activity'] = time();
    }
}

Recommended Plugins:

• Limit Login Attempts Reloaded
• Wordfence Security
• iThemes Security

Custom User Roles & Capabilities

Creating Custom Roles

// Add custom role with specific capabilities
add_role(
    'content_reviewer',
    'Content Reviewer',
    array(
        'read' => true,
        'edit_posts' => true,
        'edit_published_posts' => false,
        'publish_posts' => false,
        'delete_posts' => false
    )
);

Modifying Existing Roles

// Add capability to existing role
$role = get_role('editor');
$role->add_cap('edit_theme_options'); // Access to Appearance menu

// Remove capability
$role->remove_cap('edit_theme_options');

Checking Capabilities

// Check if current user can perform action
if (current_user_can('edit_posts')) {
    // Show edit UI
}

// Check specific user
$user = get_user_by('id', 123);
if ($user->has_cap('delete_users')) {
    // User can delete other users
}

Custom Capabilities Plugin:

• User Role Editor - GUI for managing roles/capabilities
• Members - Advanced role/capability management
• PublishPress Capabilities - Fine-grained permission control

User Management Plugins

Essential Plugins

User Registration & Profiles:

• Ultimate Member - Frontend profiles, registration
• ProfilePress - User registration, login, profiles
• BuddyPress - Social networking features

Role Management:

• User Role Editor - Modify roles and capabilities
• Members - Role management, content restrictions
• Advanced Access Manager - Granular access control

User Import/Export:

• Import Users from CSV - Bulk user creation
• Export Users to CSV - Backup user data

WooCommerce-Specific

• WooCommerce (core) - Customer role, shop manager
• WooCommerce Memberships - Subscription-based access
• WooCommerce Points and Rewards - Customer loyalty

Monitoring User Activity

Activity Logs

Recommended Plugins:

• WP Activity Log - Track all user actions
• Simple History - User activity logging
• Stream - Activity monitoring

What to track:

• User login/logout
• Post/page creation/editing
• Plugin/theme installation
• User creation/deletion
• Settings changes

User Session Management

// Get all active sessions for user
$sessions = WP_Session_Tokens::get_instance(123);
$sessions->get_all();

// Destroy all sessions (force logout everywhere)
$sessions->destroy_all();

User Switching Plugin:

• User Switching - Switch between user accounts for testing

Troubleshooting User Issues

User Can't Login

Check:

• Password correct (use "Lost your password?" link)
• Account not disabled/deleted
• Email not changed without updating login
• Database connection working
• Cookies enabled in browser

User Missing Capabilities

// Debug user capabilities
$user = wp_get_current_user();
echo '<pre>';
print_r($user->allcaps);
echo '</pre>';

Content Not Attributed to Correct Author

// Change post author
wp_update_post(array(
    'ID' => 456, // Post ID
    'post_author' => 123 // New author user ID
));

Next Steps

• User Roles & Permissions - Detailed role capabilities
• Adding & Removing Users - Step-by-step guides
• WordPress Security Best Practices

Related Resources

• WordPress User Administration
• Roles and Capabilities
• WooCommerce User Roles