Sean Conklin, WooCommerce Developer, support@codedcommerce.com, (818) 835-5960

Who should have Administrator access?

11/08/2021
Who should have Administrator access?

I often come across sites that have questionable WordPress administrator accounts. I work with clients to reduce this exposure. It’s dangerous offering full privilege accounts to anybody besides fully trusted and technically capable vendors and staff. Regular review is recommended since there tends to be shifts in staff and roles over time.

Here’s why admin accounts are so important:

  • All of their passwords must be strong and secure.
  • All computers used to access the admin panels should be up to date, clean and secure.
  • Accounts can be forgotten about; people can move on; website access isn’t always the first priority.
  • Users unfamiliar with plugin vetting, software update testing, or code can make a mess or break the site.

More conservative agencies totally block filesystem access to anybody but their development team over version-control software such as GIT. Refer to the setting DISALLOW_FILE_MODS for details. This is the safest route, shielding WordPress Administrators from many of the trouble areas. While a likely requirement for enterprise scenarios, smaller business can find this approach less empowering and inefficient. It’s in effect breaking WordPress features in the name of security by disabling plugin and theme installation and updating in the admin portal.

A lighter setting DISALLOW_FILE_EDIT only blocks editing of files via the code editor in WordPress.

Installing and updating plugins and themes is the most dangerous thing Administrators have access to do. Plugins add customization risks and maintenance. Themes can involve dependencies and require significant testing prior to upgrading them. They both tend to throw up all kids of alerts about available updates.

User roles and Shop Managers

User roles should be evaluated and the Shop Manager role utilized and standard for all store admins. This role provides access to edit and publish content, manage media, products, orders, and more. I’ll often add capabilities to it to support editing customer accounts as well, though not promoting them. Check out the official blog post for further user role thoughts and recommendations.

Coming back to the original question of who should have Administrator access; I recommend this be a select few who are thought of as fully trusted and technically capable. Regular audits will help keep things in check.

Share this

  • Mail
  • Facebook
  • LinkedIn
  • Reddit
  • Twitter

Need help?

  • Contact us

Blog Categories

  • Events (11)
  • Marketing tips (25)
  • Official blog reposts (10)
  • Popular (10)
  • Technical tips (53)
  • Videos (12)

Code Categories

  • Back-end code snippets 5656 products
  • Cart 1919 products
  • Checkout 1919 products
  • Elementor code snippets 88 products
  • Front-end code snippets 135135 products
  • JetPack code snippets 44 products
  • Navigation menus 22 products
  • Official extension related 2626 products
  • Payments 66 products
  • Product pages 2020 products
  • Search 77 products
  • Shop and product categories 1414 products
  • Sitewide 3636 products
  • Storefront code snippets 1717 products
  • Useful functions and libraries 55 products
  • User accounts 2323 products
  • WooCommerce Code Snippets 213213 products

  • Home
  • Blog
  • Code
  • Contact
  • My account
  • Privacy policy

Copyright © 2018-2022 Coded Commerce, LLC.
Automattic Inc. owns and oversees the trademarks for Woo™ and WooCommerce®.