Besides manually creating users, there is another way that users are created in your website. Unfortunately many website owners don’t realize this.
In your settings of your CMS admin interface, you can enable the option for “anyone can register”. This allows users to create new accounts with subscriber-level access. When “anyone can register” is enabled, your list of users may get long and you may encounter spam accounts being created. This setting is off by default. Don’t enable it unless you specifically need your site visitors to be able to register themselves.
New User Passwords
Your website security depends on all user accounts remaining secure. When creating a new user, your CMS will assign a password to the user automatically. You can also choose to manually specify a password.
We recommend you allow your system to choose the password for you. The current version uses a random sequence of upper and lower case letters, numbers and symbols and generates a password of approximately 16 characters in length. This is a very strong password.
When your website automatically assigns a password to the user, as you create the account the system will email a link to your new user’s email address. The email includes a “password reset” link that will bring the new user to the site and provide them with the option to choose the strong password created by your website, or to specify their own password.
This method of user creation is secure and provides your new site members with strong passwords. We don’t recommend that you manually assign them passwords based on english words. These passwords are easier to guess and to crack.
User Access Levels
Your CMS uses the concept of “roles” to assign security access levels to site members. This is helpful because the security level you have access to reflects the role you play within your organization.
When assigning security roles to your users, it may be tempting to give them higher levels of access “just in case”. Don’t do this. In information security, it is good practice to provide the minimum level of access needed for a user to fulfill their duties. If they need more access, let them ask you for the access required. That way you ensure that people don’t have a higher level of access than they need.
This principle of granting the minimum access required to perform their duties is called the “Principle of Least Privilege” or the “Principle of Least Authority”. It is a well established principle in information security theory that provides a more secure environment by avoiding granting access where access is not required.
This is a brief summary of roles within your website and what each role allows you to do or have access to:
- Super Admin – A user with super admin access can do everything on your website. This is the highest level of access. On a multi-site installation where a single installation manages many sub-sites, a super admin has access to the Network Administration Panel which allows them to administer all sites. You should only have one or two super-admin’s on a site.
- Administrator – On a single-site installation (which describes most websites) the administrator role is the same as super admin. It gives a user access to everything. On a multi-site installation, the administrator has admin access to a single site whereas super admin provides access to the network admin panel. As with super admin, administrator roles should only be assigned to one or two administrators who absolutely need this access level.
- Editor – An Editor can publish posts and pages and can also manage posts and pages published by other authors. They have the ability to create and save draft posts and pages and also publish.
- Author – An author can publish their own posts and pages, but can not manage or publish posts or pages belonging to others.
- Contributor – With Contributor access, a user can create draft posts and pages but can not publish them. This is a useful role for guest posters on your site. You can give a guest poster Contributor access, they can create a draft, and you can then review the post with a higher level of access and publish it when you are ready.
- Subscriber – This is the role with the lowest access level. When you have “Anyone can register” enabled under the settings, new users that register will have Subscriber level access. A subscriber can manage their own profile and they can also post comments (if you have comments enabled) as a signed-in user.
We are Freelance Web Designer, driven to get your company better results online. You get strategy, design, development & marketing all under one roof.