You needed some updates made on your website and your developer has asked for login (or "credentials") for your website. You just have him/her your own login details? Right?
In this post let's unpack:
- When someone would likely ask you for access to your website.
- The best way to create a new user in WordPress.
- How you can delete that user when they're done.
When is ok to give out your WordPress login?
As a WordPress developer I need access to the dashboard of every site I work on. Sometimes it's just to update content, fix a bug, install new software, or repair a backup. All these kinds of tasks require me to log into the 'back end' of your website and be able to edit and configure the way that your website works. Sometimes I'll also need access to your web host via cPanel and/or FTP (but that's a whole different topic).
But I'm not the only person who might ask you for access to your website.
If you're working with an SEO specialist, they'll need access to the 'back end' of your website to make changes to your on-page SEO. If you're working with someone who's tweaking your marketing automation by connecting your website to your CRM system they will too. So will someone who's carrying out advanced analytics reporting on your website.
In fact lot's of people want access to your website for legitimate reasons.
But when I ask client for a login they generally give me their own administrator login credentials (the username and password they use themselves to sign in).
If that sounds like you, PLEASE STOP!
While it's great that you trust me to hand over your own login information, it's not the best practice.
Imagine if you hired a plumber to do some work on your house. You probably wouldn't give them your only set of keys. Wouldn't it be great if you could give them their own set of keys that you could make magically vanish the moment the job was done. You'd feel more secure with that right? Well we'll look at exactly how we can do that in WordPress.
How to create a new admin user in WordPress
- Login to your WordPress dashboard and navigate to Users > Add New.
- Create a username that makes sense to you. Often I like to base this on the role that the user will play. If it's your web developer you might like to create a username called "webdev". This makes it easy to identify the user in the future, especially if you have multiple users.
- Add the email address for the user. If you're working with an agency (such as an SEO firm) then please ask for an individual's email address (such as firstname.lastname@example.org) rather than a generic email address like (email@example.com). The reason is that this individual will receive an email in a few minutes time with the login information for your website and you want to limit who has access to this.
- I often like to put a Company name in the First Name box, but this isn't essential.
- You can leave the Last Name and Website boxes empty if you like, or fill them in. They aren't essential.
- Leave the Password box alone, and let WordPress generate a secure password for you.
- Leave the Send User Notification box checked.
- Change the Role to Administrator.
- Click Add New User.
It's as simple as that!
After you have clicked "Add New User" your website will automagically send an email to the address you have nominated, giving simple instructions for the user to create their own secure password. Just like the one below.
Too often I've seen people create a new user, invent a simple password (like "greencanoe24") and then email it, insecurely, to the end user with their username. This about as secure as yelling your credit card details to your neighbour over the road as there's no guarantee who is listening.
How to Delete a User
Deleting a user is easy when they have finished the work you have asked them to carry out.
Firstly, have a think about whether you actually need to delete the user account.
It's possible to just Edit the user and change their role back to a Subscriber. This will keep the profile open, and the user will be able to log in and out, but a subscriber can't do anything inside your website (or even really see anything in the back end to be honest). If you think this person will need to log back into your website in a few months time then it might be easier to do this, and then to raise them back up to an Administrator on an as-needs-basis.
But if you need to delete the user profile completely just follow these simple steps.
- Log into your WordPress dashboard.
- Navigate to Users > All Users.
- Hover over the user you want to delete and select Delete.
Here's an example
A Yoga practitioner was referred to me by a colleague. They wanted some minor changes made to their website such as changing the header logo and repairing some broken features. Before we had even properly spoken they had emailed me (insecurely) their own administrator username and password.
While it's great they trusted me with their own login details, I was left holding the only "set of keys" to their website and didn't know who else may have copied them while they were sent to me.