WordPress user access

When a new WordPress environment is created, a user account will automatically be created for an individual nominated by the customer organization. The user account on a single site will have an Administrator role, and the user account on a multisite will have a Super Admin role.

Users with an Administrator or Super Admin role are responsible for:

Adding, removing, and managing all other users on that site or multisite.
Password resets for user accounts and resetting Two-Factor authentication (2FA) for locked out WordPress users.
Monitoring the Users screen in the WordPress Admin dashboard for users that are flagged by the Inactive Users module in WordPress Security Controls as “Inactive” or “Blocked”. User accounts that are flagged as “Blocked” can be unblocked, but assigning inactive users a role with fewer capabilities or removing them from the site entirely should be considered for improved security.

All users who have access to a WordPress site should review and closely follow security best practices.

Note

Notification emails are automatically sent each time a new or existing user is assigned an Administrator or a Super Admin role. The notification emails are sent to the email address that is assigned to an environment’s “Administration Email Address” field.

If notification emails are not being received, verify or update the email address that is currently set for an environment’s “Administration Email Address”. Locate this value in the WordPress Admin dashboard menu: Settings -> Administration Email Address.

Add a user to a WordPress single site

Users with an Administrator role have the capability to add users to their WordPress site through the WordPress Admin dashboard. Users added to a site can be assigned to default WordPress user roles, or customized roles if they exist.

In the WordPress Admin dashboard, select Users from sidebar menu.
Select the button labeled “Add New“.
Fill out the field prompts and select a role to assign to the user.
Check the option labeled “Send User Notification” to send an email to the user that has a link to set a password.
- If this option is not selected, the user must navigate to the site’s login URL (example.com/wp-admin) and use the password reset feature to generate a password.
Select the button labeled “Add User“.

User management on a WordPress multisite

On a WordPress multisite, only a user with a Super Admin role has access to all sites as well as the network settings. User access for all other roles is granted per site. A user can review the sites for which they have assigned roles by selecting My Sites in the WordPress Admin toolbar.

The capability to add new users to sites on a WordPress multisite network can be restricted to only users with a Super Admin role. If the Add new users setting in the My Sites > Network Admin > Settings dashboard is disabled, only a Super Admin can add new users to sites on the network.

Prerequisite

Network level settings are only accessible to a user with a Super Admin role.

Add a new user to the multisite network

New users can be added to the multisite network by a user with a Super Admin role.

In the WordPress Admin toolbar, hover over My Sites > Network Admin > Users and select Users.
Select the Add New button to add a new user to the network.
Add a unique Username for the new user, and enter their Email address.
Select Add User, and a password reset link will be sent to the user via email by default.

Once a user has been added to a multisite network, they can be invited to a site on the network by an Administrator of that site.

Add a new user to a specific site on the network

New users can be added to a site on a multisite network by a user with an Administrator role for that site if:

The Add new users setting in the My Sites > Network Admin > Settings dashboard is enabled.
Or, if the new user has already been added to the network by a Super Admin.

To add a new user to a site:

Select Users from sidebar menu in the WordPress Admin dashboard.
Select the button labeled “Add New“.
Complete the form titled Add Existing User if the user already exists on the network.
Complete the form titled Add New User form if the user is new to the network and the Add new users setting is enabled.
Add a unique Username for the new user, and enter their Email address.
Select the button labeled either “Add Existing User” or “Add Existing User“, and a password reset link will be sent to the user via email by default.

Super Admin privileges on a WordPress multisite

Great caution should be taken in granting a user with Super Admin access to the network. Users with a Super Admin role have the ability to make changes to every setting on any site in the network.

Prerequisite

Only an existing Super Admin can grant or remove Super Admin privileges for another user.

Grant a user Super Admin privileges on a WordPress multisite

Locate the user in the Users list within the Network Admin
Hover over the user to reveal and select the Edit link.
Toggle the option labeled “Grant this user super admin privileges for the Network“.
Select the button labeled “Update User” at the bottom of the page to save the settings.

Removing a user’s Super Admin privileges will not remove their user account on the network. A user without Super Admin privileges will only have access to sites on the network to which they have been added and assigned a user role.

Delete a Super Admin from a WordPress multisite

A user with Super Admin privileges cannot be removed from the network. If a user with a Super Admin role needs to be removed from a network completely, their Super Admin privileges must first be removed. After saving this change, the user can then be removed from the network.

WordPress user management via WP-CLI

WordPress user accounts can also be managed with WP-CLI, using commands such as wp user and wp super-admin.

WP-CLI commands against a VIP Platform WordPress environment must be run in the command line with VIP-CLI.

2FA and Jetpack SSO

Two-factor authentication (2FA) and Jetpack SSO are recommended authentication options that are integrated with all WordPress sites on the VIP Platform. All WordPress user accounts should require one of these added security methods for logging in.

If Jetpack SSO is enabled, a user’s WordPress.com user account is used for authentication. In order for this to work, the email address of the user’s account on the WPVIP WordPress site must match the email address of their WordPress.com user account. For heightened security, a user’s WordPress.com account should have 2FA enabled.

Customize password requirements for a WordPress site

To enhance the security of a WordPress application, it is possible to enforce minimum password strength rules for all users by creating a custom plugin in the /client-mu-plugins directory.

This example demonstrates custom code that can be added as a plugin to enforce password strength rules during user registration, profile updates, and password resets:

add_filter( 'registration_errors', 'enforce_password_strength', 10, 3 ); // Hook to validate password strength during registration.
add_action( 'user_profile_update_errors', 'enforce_password_strength', 10, 3 ); // Hook to validate password strength during user profile updates.
add_action( 'validate_password_reset', 'enforce_password_strength', 10, 2 ); // Hook to validate password strength during password resets.

/**
 * Enforces password strength rules during registration, profile updates, and password resets.
 *
 * @param \WP_Error     $errors The error object to add validation errors to.
 * @param bool|null     $update Whether this is an update operation (optional, default null).
 * @param \WP_User|null $user   The user object, if available (optional, default null).
 */
function enforce_password_strength( \WP_Error $errors, ?bool $update = null, ?\WP_User $user = null ): void {
    // Check if a password is being set or updated by retrieving the 'pass1' field from the form submission.
    $password = $_POST['pass1'] ?? '';

	if ( isset( $password ) && $password !== '' ) { // Proceed only if a password is provided and not empty.
        // Define the regex pattern for validating password strength.
        // The pattern enforces the following rules:
        // - At least one uppercase letter ("(?=.*[A-Z])").
        // - At least one lowercase letter ("(?=.*[a-z])").
        // - At least one digit ("(?=.*\d)").
        // - At least one special character ("(?=.*[@$!%*?&#])").
        // - Minimum length of 8 characters ("{8,}").
        $pattern = '/^(?=.*[A-Z])(?=.*[a-z])(?=.*\d)(?=.*[@$!%*?&#])[A-Za-z\d@$!%*?&#]{8,}$/';

		// Check if the password matches the strength requirements.
        if ( ! preg_match( $pattern, $password ) ) {
            // Add an error to the $errors object if the password is too weak.
            $errors->add(
                'weak_password', // Error code used to identify this specific error.
                __( 'Password must be at least 8 characters long and include at least one uppercase letter, one lowercase letter, one number, and one symbol.', 'your-textdomain' ) // Human-readable error message.
            );
        }
    }
}

add_filter( 'registration_errors', 'enforce_password_strength', 10, 3 ); // Hook to validate password strength during registration.
add_action( 'user_profile_update_errors', 'enforce_password_strength', 10, 3 ); // Hook to validate password strength during user profile updates.
add_action( 'validate_password_reset', 'enforce_password_strength', 10, 2 ); // Hook to validate password strength during password resets.

/**
 * Enforces password strength rules during registration, profile updates, and password resets.
 *
 * @param \WP_Error     $errors The error object to add validation errors to.
 * @param bool|null     $update Whether this is an update operation (optional, default null).
 * @param \WP_User|null $user   The user object, if available (optional, default null).
 */
function enforce_password_strength( \WP_Error $errors, ?bool $update = null, ?\WP_User $user = null ): void {
    // Check if a password is being set or updated by retrieving the 'pass1' field from the form submission.
    $password = $_POST['pass1'] ?? '';

if ( isset( $password ) && $password !== '' ) { // Proceed only if a password is provided and not empty.
        // Define the regex pattern for validating password strength.
        // The pattern enforces the following rules:
        // - At least one uppercase letter ("(?=.*[A-Z])").
        // - At least one lowercase letter ("(?=.*[a-z])").
        // - At least one digit ("(?=.*\d)").
        // - At least one special character ("(?=.*[@$!%*?&#])").
        // - Minimum length of 8 characters ("{8,}").
        $pattern = '/^(?=.*[A-Z])(?=.*[a-z])(?=.*\d)(?=.*[@$!%*?&#])[A-Za-z\d@$!%*?&#]{8,}$/';

// Check if the password matches the strength requirements.
        if ( ! preg_match( $pattern, $password ) ) {
            // Add an error to the $errors object if the password is too weak.
            $errors->add(
                'weak_password', // Error code used to identify this specific error.
                __( 'Password must be at least 8 characters long and include at least one uppercase letter, one lowercase letter, one number, and one symbol.', 'your-textdomain' ) // Human-readable error message.
            );
        }
    }
}

Last updated: August 20, 2025