Previously on the CogitActive Saga:
A basic rule is never to publish anything using the WordPress Administrator account. You should create a new user with a lower role (e.g. Author or Editor) to publish your content.
Upon installing WordPress, an Administrator account is automatically created. The latter allows you to perform all actions on your website, from writing and publishing content to managing themes, plugins and more. After setting up WordPress Multisite, I became the Network Admin (aka Super Admin) – while remaining the Administrator of each single site. Specifically, this new role gives all possible capabilities, i.e. the ‘regular’ administration features plus the network administration ones. In a nutshell, the Super Admin has the highest level of access (and responsibility); it has complete control of the entire network.
Given the privileges associated with this account (whether it is the Administrator or Super Admin one), it is the most targeted by hackers. Therefore, it is crucial to secure it with strong login credentials and, equally important, to ensure it remains secure. You probably know about the recommended security best practice, which consists in renaming the default WordPress administrator Username. If you don’t (and keep “admin” as your Username), it makes it easier for hackers to find your Password using brute force attacks. In keeping with this idea of Username leak, it is imperative NOT to publish any content with the WordPress administrator account. Indeed, doing so will make the name of the author, and what is more his/her Username, publically available (see WordPress housekeeping).
Create a separate account with a lower role (such as Author) and use that account for everyday posting. Reserve the Administrator account purely for administration of your website.Lisa Sabin-Wilson
For this reason, you should create a new user with a lower role (e.g. Author or Editor) and use it to publish your content.
- Can publish and manage (i.e. add, edit, delete, upload) his/her own posts.
- Can publish and manage posts (including the posts of other users) and moderate comments.
This task – straightforward in a regular installation – might be a little more puzzling in WordPress Multisite; a good opportunity for me to resume my tour of the Network Admin (see Network Settings). In particular,
users are added on a global basis to the entire network, then assigned to specific sites. So, how to add a new user in WordPress Multisite?
Network Admin Users
The so-called Table of Users lists all users in the network and displays the following information about each user:
- Name (as provided in the Profile; see below)
- Registered (the date when the user registered)
- Sites (to which the user is assigned)
Hover over any user on the list to make the edit links appear. The Edit link on the left will take you to their Edit User profile page; the Edit link on the right by any site name goes to an Edit Site screen for that site.
In addition to the Edit link (that brings you to the user’s Profile page; see below), there is a Delete link – an option obviously not available for the Super Admin. Importantly, when you delete a user, who has already published some posts, you will have the possibility to transfer his/her posts to another account. After clicking the Confirm Deletion button, WordPress will remove the user from the network. Beware that this action is irreversible!
The Add New User screen (accessed via the Add New button or using the sub-menu on the left) allows you to add a new user. You simply have to provide a Username (that can’t be changed) and an E-mail (not already used) and click on Add User. As indicated, a password reset link will be sent to this newly created user via email. WordPress randomly generates a password when the user account is created; basically, the e-mail invites him/her to set his/her own password.
Add New User vs. Add New User vs. Add New User
As opposed to the Network Admin Add New User screen (described above), the one for each site of the network can be confusing. Indeed, you can add either an Existing User or a New User. Specifically, the first option allows you to add an existing user (from the network) to the current site; that is to give him/her access to this specific site. The second option is to add a brand new user to the network (and to the current site at the same time).
In keeping with the “spot the difference” game, this screen has some extra fields (in addition to providing a Username and/or an E-mail). For example, you have to select the Role of the user from a dropdown menu. There is also a checkbox to Skip Confirmation Email, but if you check this option
you’ll need to assign [the new users] a password yourself via their user admin screen1.
Of note, the Add New User screen for each site of the network (see above) is also different to the one in a regular WordPress installation. In particular, in the latter (but not in the former) you can provide the First Name and Last Name, as well as the Website, of the new user.
Importantly, if you add a user via the Network Admin Add New Users screen (My Sites > Network Admin > Users > Add New), you will have to change his/her privilege (for each site) via the Table of Users for individual site(s) (Users > All Users; in the dashboard of the individual sites). To do so, select the user (checkbox), then the role from the Change role to… dropdown menu, and click on Change. This task can also be done in the Profile screen (see below) or though the Edit Sites screen (My Sites > Network Admin > Sites > All Sites; see Network Admin Sites). Specifically, you will need to navigate to the Users tab (once in the Edit Sites screen).
Beware that the Administrator in a Multisite installation doesn’t have the same capabilities as the Super Admin. First, he can’t access the Network Admin Users screen (My Sites > Network Admin > Users), but only the Users menu in the dashboard of the individual sites; the Super Admin having access to both. In keeping with their different capabilities, the Administrator(s)
can only remove user privileges for their site: they can’t remove the user from the network1.
Once you have added a user, you
can should edit his/her profile. Although
the only pieces of information WordPress requires you to include in your Profile are your e-mail address and a nickname2, you should not skip this important step. In particular, this is where you can specify how your name will be displayed on your site.
The first section – Personal Options – allows you to set some personal preferences for your WordPress backend. For example, you can decide to Disable the visual editor when writing or to Show Toolbar when viewing site, among other options. With the latter option checked,
the admin toolbar displays at the top of every page of your site when you’re viewing it in your browser3.
It’s important to understand that the admin toolbar appears only to users who are logged in. Regular visitors who aren’t logged in to your site can’t see the admin toolbar.Lisa Sabin-Wilson
The Name section shows your Username, but you cannot edit it (i.e. this field is grey out). Importantly, no one ever needs to see it; hence, the importance of 1) entering a Nickname – a required field anyway – and 2) selecting from the Display name publicly as dropdown menu something other than your Username! The latter
defaults to your first and last name2 – if provided in the (optional) fields First Name and Last Name. Again, it is essential not to choose your Username.
Depending on the way you reach the Profile screen, this section will be slightly different. In particular, if you access it via the Network Admin dashboard, you will be able to Grant this user super admin privileges for the Network. On the other hand, if you access it via the dashboard of an individual site, a dropdown menu allowing you to define his/her Role will be present instead.
There is not much to say about the Contact Info section; it consists of only two fields: Email and Website. Only the former is required since it is the one WordPress uses
for your blog’s administration purposes2. If you wish, you can insert your website URL. It may (or may not) be displayed on your site depending on the theme you use.
All users are required to list an e-mail address in their respective Profiles. The E-mail address must be unique for each user. Your blog will use this address to notify you of new comments to your posts and for other administrative purposes.
A bit of paranoia regarding your personal information is healthy.WordPress
In keeping with providing information about yourself, the next section – About the user – allows you to enter a short Biographical Info that
can be displayed by your theme if so configured by the theme author2. Even though your theme does not display this information, search engines can pick it up. Thus, a sound advice is to
always be careful with the information in your profile3. You can also set a Profile Picture, or more accurately,
you can change your profile picture on Gravatar.
“What? What is that?”
- A gravatar is a globally recognized avatar (a graphic image or picture that represents a user).
Actually, WordPress integrates Gravatars into every WordPress site, which means:
if you choose not to sign up with Gravatar, the default icon set by the Administrator appears next to your name. In other words, yes you can set up a profile picture; however, you can only4 do so using the Gravatar system.
“Wait! What about this Gravatar thing? Did you use it to set up your Profile picture?”
“Hmm, good question. Let me address this in the next post…”
Last, in the Account Management section, you can change the password for your site by clicking the Generate Password button. Then,
you can use the password that WordPress generates for you or type your own password in the text field that appears3. In addition to this New Password sub-section, you may also have one called Sessions (at least in the Profile screen of the Super Admin). By clicking the Log Out Everywhere Else button, you can log yourself out of other devices/locations.
You can click this button to generate a new password for the account. This will show you a new field with the generated password. If you choose to change this password, a checkbox will appear to confirm that you want to use a weak password.
Don’t forget to click the Update User or Update Profile button to save your changes.
Taking home message
To recap, you don’t want to publish anything with a WordPress administrator account – whether this is the Administrator or the Super Admin one! Therefore, it is essential that you create a separate account with a lower role for anything content-related. Granted, the Username of this Author/Editor account will be disclosed as well – even if you mask it by providing a Nickname – (see WordPress housekeeping); yet, this is a lower concern given the limited privileges associated with these roles (i.e. either Author or Editor).
Following this sound advice, I created a new user and updated his profile accordingly (i.e. by providing a Nickname – CogitActive – and selecting it from the Display name publicly as dropdown menu). Of note, I did some extra things to mask his Username further (more tips on that matter coming soon). Anyway, the Right Now dashboard widget (see Network Settings) was proudly giving me a new count of how many users were in my network:
You have 2 sites and 2 users.
To be continued…
1 See Working With Users in WordPress Multisite – a section of the WordPress Multisite: The Everything-You-Need-To-Know Guide to WordPress Network article by Rachel McCollin (from Kinsta). ^
2 See Users Your Profile Screen. ^
3 Lisa Sabin-Wilson (2017) WordPress All-in-One For Dummies – Third Edition. Hoboken, New Jersey: John Wiley & Sons. ^
4 As always, there are workarounds. For instance, you can use plugins to overhaul the entire profile picture system. ^