This post originally appeared on the Get Polished blog, but I relocated it here after Get Polished closed its doors in September 2017.
Today, I’m talking about a topic that many business owners find frightening: WordPress website security. There are a lot of misconceptions and bad practices floating around the web concerning WordPress—that’s one of the reasons so many WordPress sites end up hacked—and I’m tackling one of them over on the Get Polished blog this week. In this guest post, I explain what to do if you find yourself needing to allow someone access to your Dashboard. Make sure you follow the procedures in this post instead of giving a stranger your username and password!
You knew this day would come eventually.
So far, you’ve been able to figure things out on your WordPress website without much help. But today, no dice: you’re stumped. You know you need to bring in someone with more experience to check out the particular problem you’ve encountered. Luckily, you’ve found someone willing to take a look, but they need access to your WordPress Dashboard.
To be honest, the thought of handing over the keys to your website kingdom is more than a little scary. You feel stuck between a rock and a hard place — on one hand, you know you need the help, but on the other hand, you’re not sure you can fully trust the person who offered to assist you.
If you’ve been in this difficult situation before or you’re agonizing over it now, I’ve got good news for you. There’s a way that you can get help from a virtual stranger while protecting your WordPress site.
How, you ask?
By creating a temporary user account.
Why you should create temporary user accounts when getting help with your WordPress website
There are a few reasons why creating a temporary user account is considered the most secure way to give someone access to your website:
- You don’t have to give out any of your own account information. Your username and password can remain a secret. This ensures not only that your website remains secure, but that your accounts on other sites and services can’t be accessed if you reuse passwords (which you shouldn’t, even if the password is strong).
- You can restrict the temporary user’s privileges. If the person offering to help you doesn’t need administrator privileges, you can choose a different Role for their temporary user account. WordPress has five built-in user roles for normal installations. If you’re unfamiliar with the various roles, WPBeginner has a handy infographic explaining the differences between each of these roles in a simple way. Choose the role with the least amount of permissions necessary for the person helping you to accomplish what they need to do.
If the temporary user truly needs administrator-level privileges—this is often the case when you’re reaching out for support with a theme or plugin—you can use a solution like User Role Editor to create a new role with the permissions they need, minus the abilities to add, delete, or change users/roles/capabilities. That ensures they won’t be able to remove you as the site administrator.
- You can revoke their access at any time. If you’ve correctly set roles and capabilities for the temporary user, you’ll be able to revoke their access to your site at any time. No worrying about a random user account with access to critical site elements floating around once their business is finished: just delete the account and close that security loophole!
How to create a temporary user account to get help with your WordPress website
It’s a simple process that you can complete in just a couple of minutes:
- Open up your WordPress Dashboard. Under “Users” in the left hand column, click “Add New.”
- Fill out the user creation form with their information, making sure to select the appropriate role for the new user. If you leave the Send User Notification checkbox selected, a message will be sent to the email address you entered for the user with a link to set their password. Otherwise, be sure to save the password (click “Show Password” and copy it) and pass it along to the person helping you.
- If you need a specialized role, assign the user a low-level role like Subscriber initially. Then, install the User Role Editor plugin and create a new role with the correct permissions. You can then go to Users > All Users and change the new account’s role to the role you just created.
What to do once you’ve gotten help
After you’re done receiving help from support staff or random internet good samaritans, you can remove the temporary user account you created. Then, you can rest assured that no one will be able to wreak havoc on your site via that account.
To remove their temporary account:
- Open up your WordPress dashboard. Under “Users” in the lefthand column, click “All Users”.
- Hover over the username of the temporary account. A “Delete” link should appear underneath the name in red text. Click the “Delete” link.
- You may see a page asking you to confirm the user you’d like to delete. Click “Confirm Deletion” to continue. If the user was removed successfully, you’ll see a “User deleted.” success message on the following page.
- (Optional) If you created a new role specifically for this temporary user account, use User Role Editor to delete it as well.
It’s really that simple! It only takes a few extra minutes to set up and remove the temporary account, and it reduces your chance of getting hacked by the person claiming to help. I recommend that all clients and customers seeking support from me create temporary accounts.
Spill the beans – do you feel safer when you create a temporary account for support staff or others who offer to help you with your WordPress site? I’d love to hear what you think in the comments. 😉