The administrator user represents immense power in WordPress. As a webmaster with over 15 years of experience managing hundreds of WordPress sites, I‘ve seen firsthand how important it is to properly handle the admin role.
In this beginner‘s guide, I‘ll explain everything you need to know about the administrator role in WordPress. I‘ll cover what exactly an admin can do, best practices for managing admin users, and critical security steps every site owner should take. My goal is to help you utilize the admin capabilities wisely to take full control of your WordPress site.
Contents
- A WordPress Admin Has Complete Control
- Use Caution When Adding Administrators
- Administrator vs Super Administrator
- How to Access the WordPress Admin Area
- How to Add a New WordPress Administrator
- How to Change Your WordPress Admin Username
- Comparing Administrator to Other WordPress User Roles
- Avoiding Admin Role Pitfalls and Risks
A WordPress Admin Has Complete Control
The administrator user role grants unlimited access to all parts of a WordPress site. When someone installs WordPress, the installation process creates the first user account and assigns it the admin role.
This initial admin user has unrestricted power over the site:
- Access to every page in the WordPress admin dashboard and all settings.
- Ability to fully manage plugins – can install, activate, deactivate, configure, and delete plugins.
- Ability to fully manage themes – can install, activate, customize, edit files, and delete themes.
- Ability to edit any post, page, custom post type, category or tag. Can publish, unpublish, or delete any content.
- Ability to add, edit, and permanently delete users.
- Ability to moderate and manage all comments.
- Ability to edit any file and database table in WordPress.
- Ability to update WordPress core software and plugins/themes.
Essentially, an admin can do anything and everything in WordPress.
According to the WordPress User Roles and Capabilities Codex page, the administrator role has all 38 available capabilities enabled by default. No other role, including Editor or Author, is granted full control in this way.
That‘s why properly managing admins is so important for every WordPress site owner…
Use Caution When Adding Administrators
WordPress admins have tremendous power over a site. Unchecked, the administrator role can be dangerous or lead to problems down the road.
Based on my experience managing hundreds of sites over 15+ years, I strongly recommend being extremely selective about who you grant admin access to.
Here are a few guidelines to keep in mind:
-
On a personal blog or small business site, the site owner should be the only admin. Don‘t assign this role to others unless absolutely necessary.
-
On a multisite network, limit use of the super admin role only to developers responsible for managing the entire network.
-
On a site with multiple contributors, avoid granting admin powers except to the manager or team lead directly overseeing the site. Give most users Editor or lower roles.
-
When bringing on developers or contractors, be cautious providing temp admin access. Oversight of a WordPress site ultimately should remain with the site owner.
Unnecessary administrator accounts are a security risk. According to the 2020 State of Malware Report by SiteLock, over 20% of WordPress sites have experienced malicious logins in the past year, likely targeted at admin accounts.
Follow the principle of least privilege. Assign admin powers only when absolutely needed, and remove when no longer necessary.
Administrator vs Super Administrator
On a standard WordPress site, there is only one type of administrator with full privileges. But WordPress multisite networks split the admin role into two:
-
Administrator – Has control over a single site in the network. Can manage content, settings, plugins, themes for that site only.
-
Super Administrator – Has admin rights across the entire network. Controls global settings, users, updates, and tools that impact all sites.
For example, actions like updating WordPress core, installing a plugin to every site, or adding new sites to the network require super admin access.
Site admins maintain their own sites, while super admins oversee the whole network. Limiting who has super admin powers is critical.
How to Access the WordPress Admin Area
As an administrator, the WordPress admin dashboard is your headquarters for managing your site.
Access it by adding /wp-admin/ or /wp-login.php to your WordPress site‘s URL. For example:
yourdomain.com/wp-adminOr
yourdomain.com/wp-login.phpThis takes you to the login screen. Enter your administrative username and password, and click Log In.
Once logged in, you will see the admin toolbar running across the top of the screen. It provides quick links to navigate between the dashboard, content, settings, and more.
On the left is the admin menu sidebar. This contains sections like:
- Dashboard – Admin homepage to see overview of site.
- Posts – Manage blog posts and other content.
- Media – Upload and manage media library.
- Pages – Manage static pages.
- Comments – Moderate and manage comments.
- Appearance – Manage themes and other design elements.
- Plugins – Manage plugins.
- Users – Manage user accounts and roles.
- Tools – Import or export content, manage databases, etc.
- Settings – Manage core configurations and settings.
The admin dashboard is where you control all aspects of your WordPress site.
How to Add a New WordPress Administrator
If you already have the administrator role, you can add other user accounts as admins:
-
Go to Users > Add New in the WordPress admin dashboard.
-
Fill in the new user‘s name, email, username and password.
-
From the Role dropdown, select
Administrator. -
Click Add New User.
The new user can now log in and access the admin dashboard with full privileges.
Use caution when adding other administrators, as I mentioned earlier. Every additional admin you create increases the attack surface for hackers.
How to Change Your WordPress Admin Username
If you still have the default admin username created during your WordPress installation, it‘s highly recommended to change it.
The "admin" username is extremely common and one of the first things hackers will try when attempting to gain access.
The easiest and safest way to change your admin username is to:
-
Create a new administrator user with your desired username.
-
Delete the old admin user (be sure to assign their posts to the new user first).
You can also use a plugin like WP Change User Name to change the username directly.
No matter how you do it, choose a secure username that‘s hard to guess. Avoid names, dictionary words, letter/number sequences, etc. A strong admin username is one of the easiest security wins you can implement.
Comparing Administrator to Other WordPress User Roles
To understand the administrator role better, it helps to compare it against other default user roles in WordPress.
Here is a quick overview of what each role can do:
| User Role | Capabilities |
|---|---|
| Administrator | Can do everything in WordPress |
| Editor | Edit & publish posts, manage categories, moderate comments |
| Author | Publish & edit own posts, upload media |
| Contributor | Write and edit own posts but cannot publish |
| Subscriber | Can only manage their profile |
As you can see, the admin role stands far above the others in terms of capabilities.
In most cases, roles like Editor or Author will suffice for your team members or content creators. Reserve the administrator role only for site owners or managers.
Avoiding Admin Role Pitfalls and Risks
Hopefully this article has shed light on properly leveraging the administrator role in WordPress. To summarize, keep these best practices in mind:
- Only assign the admin role when absolutely necessary. Follow the principle of least privilege.
- Be extremely selective about who gets admin access, even temporarily.
- On a single WordPress site, the owner should be the only administrator.
- On a multisite network, restrict use of the super admin role.
- Use secure usernames and strong passwords for all admin accounts.
- Limit admin permissions for support reps, contractors, or clients.
- Monitor admin activity and be alert for unauthorized changes.
Mistakes with the powerful admin role can lead to hijacked sites, altered content, or deleted data. Treat administrator access with the proper caution!
If you have any other questions about managing WordPress administrators, feel free to reach out in the comments. I‘m happy to lend my expertise to help you master the admin role.
