One of the most dangerous habits we see among Hawaii business owners is the “sticky note security” method—sharing a single admin password with everyone from the in-house marketing coordinator to a freelance web developer in California. This practice leaves your digital storefront wide open to security breaches. WordPress was designed with a granular permission system to prevent exactly this issue. By assigning specific roles, you ensure that your delivery driver cannot accidentally delete your homepage, and your SEO consultant has exactly the access they need to rank you higher in local search results.
Here is the standard operating procedure for securely granting access to your WordPress site without handing over the keys to the entire kingdom.
1. Navigate to the User Management Dashboard
The process begins inside your WordPress Admin dashboard. You must be logged in as an Administrator to perform these actions.
- Log in to your site (usually at
yourbusiness.com/wp-admin). - In the left-hand sidebar, hover over Users.
- Select Add New from the flyout menu. This prevents you from overwriting any existing accounts.
2. Create the New User Profile
You will be presented with a form to fill out. While some fields are optional, accuracy here is vital for professional account management.
- Username: Choose something professional. Avoid generic names like “admin2” or “marketing.” Once set, this cannot be changed easily.
- Email: Use the person’s specific business email address (e.g.,
kai@agencyname.com). This ensures that if they lose access or leave their company, the password reset link goes to them, not a generic inbox. - Password: Click “Generate password” to create a strong, secure credential. Do not change this to something simple like “Aloha123”; weak passwords are the entry point for the majority of hacks.
- Send User Notification: Check this box. WordPress will email the new user a link to set their own password, saving you from having to email credentials insecurely.
3. Select the Appropriate Role (Critical Step)
The most important decision you make is assigning the correct “Role.” Giving someone too much power violates the “principle of least privilege,” a core security concept.
| Role | Best For… | Capabilities |
|---|---|---|
| Administrator | Business Owners, Lead Developers | Complete control. Can delete the site, change themes, manage plugins, and add/remove other users. Assign this sparingly. |
| Editor | Marketing Managers, SEO Agencies | Can publish, edit, and delete any post or page, including those written by others. Can manage categories and comments but cannot break the site’s design or plugins. |
| Author | Staff Writers, Content Freelancers | Can write, edit, and publish only their own posts. They cannot modify anyone else’s work or access site settings. |
| Contributor | Guest Bloggers, Interns | Can write and save posts but cannot publish them. An Administrator or Editor must review and push the “Publish” button. Ideal for quality control. |
4. Auditing and Revoking Access
Just as you would collect keys from a former employee, you must revoke digital access immediately when a business relationship ends.
- Go to Users > All Users.
- Hover over the user you wish to remove and click Delete.
- Crucial Step: If the user has published content (blog posts, pages), WordPress will ask what to do with it. Select “Attribute all content to” and choose your own admin account. If you do not do this, deleting the user may delete all the blog posts they wrote.