This article is specifically targeted at users who are either becoming new developers or have just had a website built by someone else. I’m bringing this up because when a user wants to give a developer access to their website, they are often afraid—wondering how to provide access, which username and password to share, or if they should share their main hosting credentials.
Sharing your main hosting login is a major privacy violation and a huge security risk. That is why I wrote this article: to teach users how to create a separate user account specifically for their developer. If they want to grant access, they can create a restricted account, share those credentials safely, and keep their main hosting/admin account secure. I have included screenshots and images in this article to make the entire process easy to understand for everyone.
Last year I received a panicked email from a client at 11 pm on a Friday.
A freelance developer they had hired had finished the project and requested payment. When payment was delayed, the developer changed the admin password, locking the client out of their own site. The site went down. Orders stopped. Weekend revenue gone.
The client had made one specific mistake: they had given the developer full Administrator access instead of creating a separate account with appropriate permissions.
If the developer had been given an Editor account — appropriate for someone building page layouts — they would have had no ability to touch user accounts or change passwords. The client would have retained full control throughout the project.
This is not a rare story. I have seen variations of it more times than I can count. A shared admin login, a contractor with too much access, a disgruntled employee, a compromised account — all preventable with correct user management from the start.
This guide covers how to add users with the right roles, how to change the admin password, and what to do when you are locked out completely.
The Most Common User Management Mistake
Most WordPress site owners handle user management incorrectly in one of two ways:
Sharing the admin login. A developer needs access to the site, so you give them your admin username and password. When the project ends, you change the password. In the meantime, they have full access to everything — user accounts, payment settings, plugin installations, file edits.
Giving everyone Administrator access. Because it seems simpler than figuring out roles. An Administrator can create new admin accounts, install plugins, modify themes, export all user data, and yes, lock other admins out of the site.
The correct approach is always the same: create a new account with exactly the permissions the person needs for their specific role, and nothing more.
Understanding WordPress User Roles Before Adding Anyone
WordPress has five built-in roles. Understanding what each one can and cannot do is the most important part of user management — more important than the technical steps of creating accounts.
Administrator
Can do everything without exception. Install and delete plugins, modify theme files, create and delete user accounts at any role level, export all site data, change site URLs, and delete the entire site.
Give Administrator access only to yourself and any co-owners of the site who you trust with complete, irreversible control. Never give Administrator access to contractors, developers working on specific tasks, writers, or anyone with a temporary relationship to your site.
Editor
Can create, edit, publish, and delete any post or page — including content created by other users. Can manage categories, tags, and comments. Can upload files to the media library.
Editors cannot install plugins, change theme files, add or remove users, or access site settings. This is the appropriate role for a content manager or senior writer who needs to manage other contributors’ content without administrative control.
Author
Can create, edit, publish, and delete only their own posts and pages. Can upload files. Cannot edit other users’ content, manage comments site-wide, or access any admin settings.
The correct role for a regular contributing writer who publishes independently. They handle their own content and nothing else.
Contributor
Can write and edit their own posts but cannot publish them. Every post they submit goes into “Pending Review” status and requires an Editor or Administrator to approve and publish it.
The appropriate role for new writers you are not yet sure about, or anyone whose content needs editorial review before it goes live. Common in publications with editorial standards.
Subscriber
Can log into the site and manage their own profile. Cannot create or edit any content. Cannot access the dashboard’s functional areas.
Used for membership sites where registered users get access to content or features, but are not contributors themselves.
How to Add a New User in WordPress
Go to your WordPress Admin panel. In the left sidebar, click Users then Add New User (or simply Add New depending on your WordPress version).
Username field: Choose this carefully. WordPress does not let you change a username after the account is created — at least not through the dashboard. If you need to change a username later, you have to create a new account and delete the old one. Use something sensible: first name, or first and last name, or a role-based name like “editorial-team.”
Email field: The invitation email goes here. Make sure this is an active email address the person checks — their account confirmation and password setup link both go to this address.
Password: WordPress generates a strong password automatically. Leave it as is and let the system handle it. Sending a computer-generated strong password to the user’s email is more secure than manually setting a simple one.
Send user notification checkbox: Leave this checked. The new user receives an email with their login credentials. If you uncheck it, you need to manually communicate the login details — which typically means sending passwords in plain-text email, which is less secure.
Role dropdown: Select the appropriate role based on the section above. If you are not certain which role is correct, default to the least permissive option that allows the person to do their job. You can always increase permissions later — but you cannot undo damage caused by excessive permissions.
Click Add New User. The account is created and the invitation email is sent.
The Role Assignment Decision — A Practical Reference
| Who Is This Person | Correct Role | Why Not Administrator |
|---|---|---|
| Co-owner or business partner | Administrator | Genuine shared ownership |
| Developer building the site | Administrator (temporary) | Downgrade when project ends |
| Developer maintaining the site | Administrator | Ongoing technical access needed |
| Freelance content writer | Author | Only needs to manage own posts |
| Managing editor | Editor | Needs to manage all content |
| New writer (unverified) | Contributor | Content review before publishing |
| Membership site member | Subscriber | Account access, not content creation |
| Temporary contractor | Lowest sufficient role | Remove account when work is complete |
Changing the WordPress Admin Password — Three Methods
Method 1 — From Your Dashboard (Standard)
This is the correct method for routine password updates when you have dashboard access.
- Log into WordPress Admin
- Click Users in the left sidebar
- Click Your Profile (or hover over your username at the top of the screen and click Edit)
- Scroll to the Account Management section near the bottom of the page
- Click Set New Password
- WordPress generates a strong password automatically — use it, or type your own strong password
- Click Update Profile at the bottom of the page
The password change takes effect immediately. Your current session remains active but any other devices logged in with your old credentials will be logged out.
One thing people miss: You must click Update Profile at the bottom of the page. Clicking Set New Password only populates the field — it does not save the change. I have seen site owners believe they changed their password only to find it unchanged because they did not scroll down and click the final save button.
Method 2 — Resetting via the Login Page
When you cannot log in but have access to your registered email address:
- Go to
yoursite.com/wp-login.php - Click Lost your password? below the login form
- Enter your username or email address
- Click Get New Password
- Check your email for the reset link
- Click the link and set your new password
This method fails when: the email is no longer accessible, when your hosting server is not sending emails correctly, or when the reset email is filtered as spam. If the email does not arrive within five minutes, check your spam folder before assuming it failed.
Method 3 — Emergency Reset via phpMyAdmin (No Email Access)
This is the method for when you are completely locked out — wrong password, inaccessible email, no other admin account on the site. This requires access to your hosting control panel.
Warning: Editing your database directly can break your site if done incorrectly. Follow each step exactly.
- Log into your hosting control panel (cPanel or your host’s custom interface)
- Find phpMyAdmin in the Databases section and open it
- Select your WordPress database from the left sidebar — if you are not sure which one, check your
wp-config.phpfile for theDB_NAMEvalue - Click on the wp_users table (the prefix may be different if you changed it during installation — look for the table ending in
_users) - Find the row with your username and click Edit
- Find the user_pass column
- In the Function dropdown for that row, select MD5
- In the Value field, type your new password in plain text
- Click Go to save
WordPress stores passwords as MD5 hashes. By selecting MD5 as the function and entering your plain text password, phpMyAdmin hashes it correctly before saving. After saving, return to yoursite.com/wp-login.php and log in with your new password.
After using this method: Immediately go to Users > Your Profile and set a new strong password using Method 1. This generates a proper WordPress password hash, which is more secure than MD5 alone.
Security Configuration After Setting Up Users
These are the steps most user management guides never cover — the configurations that prevent user accounts from becoming your biggest security vulnerability.
Limit login attempts. By default, WordPress allows unlimited login attempts. Automated bots run thousands of username/password combinations against WordPress login pages looking for valid credentials. A plugin like Limit Login Attempts Reloaded blocks an IP address after a set number of failed attempts (typically three to five). This eliminates brute force attacks without affecting legitimate users.
Enable two-factor authentication. Two-factor authentication requires a second verification step — typically a code from an authenticator app — in addition to the password. Even if an attacker has your correct username and password, they cannot log in without your phone. Wordfence (free) includes 2FA. Enable it at minimum for all Administrator accounts.
Audit your user list quarterly. Go to Users > All Users and review every account. Remove accounts for contractors whose projects have ended, writers who no longer contribute, and any accounts you do not recognize. An inactive account with a compromised password is an open door — it needs to be closed.
Change the default login URL. yoursite.com/wp-admin is the URL every automated attack targets. The WPS Hide Login plugin (free) lets you change this to any custom path. Bots scanning for wp-admin find nothing. Legitimate users know the new URL. This eliminates the majority of automated login attack volume.
Checking Your Site Health After User Changes
Any time you make significant changes to user accounts — especially Administrator-level changes — run a quick site health check.
Use the WP Skillz Website Technology Detector on your own site after major user or plugin changes. It shows what your site is exposing publicly — plugin names, version numbers, server configuration. After a security incident or account change, this confirms whether any new information has become visible that should not be.
Run the Website Malware Scanner if there was any unauthorized access. When an attacker gains admin access, the first action is typically installing a backdoor — a hidden file that maintains access even after the password is changed. The malware scanner identifies these backdoors with specific file locations so they can be removed completely.
Check the Website Speed Test if performance drops unexpectedly. Malicious plugins or code injected through compromised accounts sometimes include scripts that consume server resources — crypto miners being the most common. A sudden drop in performance without any content or configuration change is a red flag worth investigating.
WordPress User Management Checklist
When adding a new user:
- Correct role assigned — minimum permissions needed for the person’s job
- Strong password used — WordPress-generated or equally complex
- User notification email sent — confirmed they received it
- Username chosen carefully — cannot be easily changed later
When a contractor or contributor leaves:
- Their user account deleted from Users > All Users
- Any passwords they may have known changed
- Their API keys or application passwords revoked if applicable
Quarterly security audit:
- All user accounts reviewed — inactive accounts removed
- All Administrator accounts verified — only appropriate people have this role
- Two-factor authentication active on all admin accounts
- Login attempt limiting confirmed active
After any security incident:
- All admin passwords changed
- Malware scan run — clean result confirmed
- Technology detector run — unexpected plugins or scripts identified
- User account list reviewed for unauthorized additions
Frequently Asked Questions
How do I change a WordPress username? You cannot change a username directly through the dashboard. The correct process: create a new Administrator account with the desired username, log in with the new account, and delete the old account. Any content attributed to the old username (posts, pages) will need to be reassigned during the deletion process — WordPress prompts you to do this.
New users are not receiving invitation emails — why? Your hosting server’s email configuration is likely the cause. Shared hosting email is often flagged as spam or blocked by email providers. Install an SMTP plugin (WP Mail SMTP is free) and configure it with your Gmail, Outlook, or dedicated transactional email account. This routes WordPress emails through a legitimate email service rather than your hosting server.
Is it safe to enable “Anyone can register” in WordPress settings? Only if you set the default new user role to Subscriber. Check Settings > General > New User Default Role. If it is anything above Subscriber, enabling open registration means anyone can create an account with Editor or Author access — or worse. Set it to Subscriber before enabling registration.
Can I have two Administrators on the same site? Yes. Multiple Administrator accounts on the same site is standard practice for sites with co-owners or development teams. The risk is not the number of admin accounts but the appropriateness of who holds them. Every Administrator has full, equal access — choose carefully.
What do I do if I suspect an unauthorized admin account was created? Go to Users > All Users immediately and filter by Administrator role. Any admin account you do not recognize should be deleted immediately. Then change every other admin account’s password. Run the malware scanner to check for backdoors, and contact your hosting provider about any server-level investigation.
Conclusion — Access Control Is Ongoing, Not a One-Time Setup
The client from my opening story eventually regained access to their site. It took a phpMyAdmin password reset, a malware scan to check for backdoors, and two hours of work on a Friday night that should have been spent on something else.
The cause was a single decision made weeks earlier: giving a contractor full Administrator access instead of a role appropriate to the actual task.
WordPress user management takes ten minutes to set up correctly. It takes ten minutes per quarter to audit. Those twenty minutes per year prevent situations that cost hours of emergency work and days of revenue.
Add the right role for each person. Remove accounts when people leave. Enable two-factor authentication on admin accounts. Audit quarterly.
Connect with me on LinkedIn if you are dealing with a specific user management or access situation — particularly if you suspect an account has been compromised.
Waseem Aijaz — WordPress Developer & SEO Specialist, WP Skillz Website Malware Scanner | All Dev Tools | About WP Skillz
