WordPress security: 6 common security problems and solutions presented

In the table you can see that critical core functions of WordPress, such as installing plugins or WordPress updates, are reserved for administrators. Conversely, this also means that a lot of damage can also be caused with every user account that you grant admin rights to.

Also keep in mind that the damage does not even have to be deliberately caused by an employee. More often it happens that someone accidentally clicks once too many (e.g. plugin deactivated / deleted). Or even worse: the accounts will chopped and all rights can be used by the attacker.

Therefore it is advisable always to grant only as many rights as necessary. For example, do you have an employee who is solely responsible for creating blog posts? Just give him author rights. Also, make sure you use strong passwords when creating accounts, since WordPress is just as vulnerable to brute force attacks as any web application.

If the default WordPress rights are too inflexible for you, there is always the option of using plugins such as User Role Editor to better restrict individual roles or to create more.