Advice on users sharing logins
Don’t let them.
If reasonably possible, every person who needs to log into the site should have a private login. Why? Doing this lets you…
- give them a Role that matches their needs
- keep track of who edited what and, if you have questions about an edit, ask the right person
- remove their account if they’re no longer associated with your nonprofit
Managing logins
You manage users through the Users menu:
The All Users option will let you edit existing users or add new ones.
Username (login) and “friendly” name
Every user must have a Username to log in (e.g., “pstar”).
Optionally and separately, you can specify a friendlier First Name and Last Name (e.g., “Patrick” and “Star”).
Always provide these optional “friendly” names. Sometimes WordPress will show the username instead—for example in article bylines—and it doesn’t look professional to credit an article to a writer with a name like “pstar”.
Role (security level)
A user’s role determines how much that user is able to do in managing the site.
Themes and plugins can change the list of available roles, but the standard WordPress roles are all most organizations will need. From highest capabilities to lowest they are:
- Administrator: can do anything on the administrative menu.
- Editor: can publish and manage pages, including other peoples’ pages.
- Author: can edit and publish their own pages.
- Contributor: can edit their own pages but not publish them.
- Subscriber: can only log in and manage their own profile.
In general, give people the lowest level of privileges that will let them do their job. Giving someone a role that’s higher than they need:
- needlessly clutters their menu with options they won’t (or shouldn’t) use
- gives them access to options where they could accidentally damage or even shut down the site
For these reasons, even the site’s overall administrator might want to have a second, non-Administrator level login for routine content editing.
Security warning
To give you flexibility in formatting content, it’s possible to enter HTML and other web code into certain fields and screens. An unscrupulous user could use this ability to maliciously modify the system’s appearance or function.
For this reason, only give these access levels to trusted users. For those who can create content but not publish it, carefully review their work before publishing it.