It is important to give people access to your website. However, you must maintain complete control and allow your contractors, employees, and volunteers to do their jobs efficiently. These are some important steps to follow in order to achieve this.
We will discuss the various user types WordPress and WooCommerce allow you to access, their meanings, and other best practices in website security.
Users Roles and Permissions
Two aspects of the user management system are important: capabilities and roles.
A role refers to the classification title that is assigned to a group or users of your WordPress site. Each role has its own set capabilities.
A capability refers to a specific action that a user can perform. Editing a post, for example, is one capability. Moderating comments on blog posts is another.
WordPress offers six default roles with their own set of capabilities and permissions.
- Super Administrator: A super administrator has the ability to manage multisite environments. They are able to manage all settings on the network. The Admin is the highest-ranking user for single sites.
- Administrator: This is the most powerful user role, as it grants you access to all information. This should be your role as the website owner.
- Editor: This person is usually responsible for managing content. Editors have the ability to add, modify, publish, and remove any media or posts, even those created by others. Editors have the ability to moderate, edit and delete comments and can add and edit tags and categories.
- Author: Responsible for writing content. They are able to create, edit and publish their own posts. They can delete their posts, even if they are already published. However, they cannot edit or delete posts created by others.
- Contributor This is a less prestigious version of author. Three tasks can be performed by contributors on your site: they can read all posts, edit and delete their posts, and create new posts. This role does not allow them to publish posts directly on your site. You have the opportunity to review any content they create and be in final control of it before it goes live.
- Subscriber Allowed to new users when you allow registrations on your website. This role is the simplest. Only the user can update their profile and read your site’s content. They cannot leave comments.
Two roles will be granted to you when you install WooCommerce:
- Customer: Allowed to new customers who create an account on your site. This role is similar to that of a regular blog subscriber. Customers can view past orders and edit their account information.
- Shop Manager This allows you to manage the operations of your WooCommerce store, but not the back-end code or files. Managers have the same rights as customers, but they also have the ability to access WooCommerce reports, manage WooCommerce settings, edit products and create/edit new products. They also have access to all the WooCommerce editor capabilities.
WooCommerce also provides additional capabilities which allow administrators to:
- All WooCommerce settings can be managed
- Edit and create products
- View WooCommerce reports
When is the Shop Manager Role appropriate?
Assign the shop manager role when:
- You want to enable a user to place orders, issue refunds and create reports. However, they cannot edit plugins, themes or settings on your website.
- You would like to permit a user to see and update orders and products but not to access your user settings. They won’t have the ability to add/edit permissions or user roles.
- Magento Pos
- Shopify Pos
- Bigcommerce Pos
- Woocommerce Pos
- Netsuite pos
- Bigcommerce automation
- Shopify automation
When is it appropriate to use the administrator role
In some cases, you may need to grant Administrator rights to another user on your site.
Here are some examples of admin users
These roles typically require access to more advanced WordPress settings and features in order to complete projects on your site.
This is the most important role in your store, and you need to be careful.
Best Practices in User Permissions
- Provide only the users who need it. This is essential for security to prevent unapproved modifications and accidental deletions.
- Limit the amount of administrators that can be granted to vendors. However, few vendors actually require such advanced access. Consider carefully what job they will be performing before granting access.
- You can have more control over what each user has access to by downloading the User Role Editor plugin.
Website Security Best Practices
You need to add users to your website. The more users you have the greater the risk.
Passwords and Usernames
Make sure your entire team has strong passwords and usernames.
- Enable two-factor authentication, if possible. This is made easy by the no-cost Jetpack plugin
- Avoid common usernames such as “Administrator” and “Administrator”. Your site is vulnerable to security breaches. Instead, should create a unique username for each user.
- WordPress will create a password automatically for you when creating a new user. However, you have the option to modify this and allow users to set their password.
- Make sure your password is at least 12 characters in length and contains an uppercase, lowercase, number, symbol and a symbol. Although it might seem extreme, the more complex the password is for each user, will ensure that you have the best security.
Regularly review Roles
Regularly review the roles of users, particularly Administrators. You might need to give them a different role or delete their account completely.
If you decide to stop working with a developer or agency, be sure to delete their account from your site so that they can no longer access it. Similar applies to all other roles.
Your site should not be accessible to anyone unless they are actually using it.
This applies to your domain and hosting accounts. Change your password if you have given someone access to your login information. You must change your password if you gave FTP credentials to any developer to manage your website files. InMotion Hosting offers an step-by-step walkthrough to anyone using cPanel.
Remember that website professionals can still access your website via your hosting account information and FTP credentials.
Create Regular Backups of Your Website
Regular backups of your online store and website are essential, both for security and peace of mind.
It’s important to keep a backup of your website in case a user makes unapproved changes or your site is compromised.
Paid Jetpack Plans make it easy to restore a site backup from scratch with just a click. Jetpack also keeps a audit log within your WordPress dashboard. This provides detailed information on all site changes. It is possible to see the name of the user who made the change and when it occurred. You can also see exactly what the change was.
You shouldn’t rely on the free backups your hosting provider provides. Backups are often only kept for 48 hours, so you should have complete control over the files and backups. Backups should be kept separate from any accounts that you share access to. You can do this by either saving a copy to an online cloud provider such as Dropbox or Google Drive or by keeping a copy on your hard drive.
Sharing Login Credentials
You should not share login credentials to user roles or your hosting/domain account accounts via email.
Instead, you can use password sharing tools such as LastPass that are completely free.
LastPass allows users to create accounts, store their usernames and passwords online in a vault and share their credentials over an encrypted network.
This tool also allows you to set permissions for users. For example, you can check a box to allow the user to see your password.