What user roles should I make my team?
When you add your team to your website so they can make changes, consider the level of access that they need.
In this article, we'll look at the built in roles, our custom Power User role, what they can do and best practice for site owners. We have also included information about how the Fortress Wordpress security system will affect each user level.
In this page:
Administrator
Somebody who has access to all the administration features within a single site.
Apply to users with caution.
Who should be an Administrator?
- Your web developer / team as they will need to manage settings and more for you
- People with the technical understanding of all the Wordpress functions
- The site owner (but not for normal day to day use)
Administrator Capabilities
Nearly everything. Sheer destructive and creative power.
Read more: Wordpress details on Administrator capabilities
Restricted Capabilities
What capabilities are restricted when Reduced Permissions is enforced?
- View plugins - other actions restricted by Code Freeze
- View themes - other actions restricted by Code Freeze
- View / Add / Delete / Promote Users
- Delete Posts / Pages / Custom Posts types
- Manage Categories
- Delete media
- Import / Export
- Manage Settings / Options
- Wordpress Core Updates / Site Health
Fortress Security information
Two factor authentication: Required
Password reset by email: Disabled - must be done by contacting SixFive
Elevated permissions: 10 minutes (you will see the Reduced Permissions in the toolbar)
Session rotation: 20 minutes (generally invisible to you as a user)
Idle/No activity logout: 30 minutes (you will see a Wordpress login covering your screen)
Full logout: 12 hours (you will see a Wordpress login covering your screen)
Power User
Somebody who has access to most of the administration features within a single site, but not Plugins / Themes and other high risk areas.
Who should be an Power User?
- Senior users of your website who need more access than Editors to administer the site (more than just content)
- The site owner for normal day to day use
Power User Capabilities
Wide ranging rights similar to an Administrator. No access to the high risk areas:
- Plugins
- Themes
- Users
Restricted Capabilities
What capabilities are restricted when Reduced Permissions is enforced?
- Delete Posts / Pages / Custom Posts types
- Manage Categories
- Delete media
- Import / Export
- Manage Settings / Options
- Wordpress Core Updates / Site Health
Fortress Security information
Two factor authentication: Required
Password reset by email: Disabled - must be done by contacting SixFive
Elevated permissions: 10 minutes (you will see the Reduced Permissions in the toolbar)
Session rotation: 60 minutes (generally invisible to you as a user)
Idle/No activity logout: 120 minutes (you will see a Wordpress login covering your screen)
Full logout: 12 hours (you will see a Wordpress login covering your screen)
Editors
Somebody who can publish and manage posts/pages and content on the website including the posts of other users.
Who should be an Editor?
Most users should be editors on your website. They will be the ones managing content on the site, adding new information, editing existing content and uploading media.
Editor Capabilities
All content related functions to add and edit new pages and posts, plus edit those created by other users.
Read more: Wordpress details on Editor capabilities
Restricted Capabilities
What capabilities are restricted when Reduced Permissions is enforced?
- Deleting posts
- Deleting media
Fortress Security information
Two factor authentication: Required
Password reset by email: Disabled - must be done by contacting SixFive
Elevated permissions: 10 minutes (you will see the Reduced Permissions in the toolbar)
Session rotation: 240 minutes (generally invisible to you as a user)
Idle/No activity logout: 180 minutes (you will see a Wordpress login covering your screen)
Full logout: 12 hours (you will see a Wordpress login covering your screen)
Authors
Somebody who can publish and manage their own posts
Who should be an Author?
Your content managers and writers should be authors on your website.
Author Capabilities
Add new pages and posts, plus edit only their own authored posts.
Cannot delete content.
Read more: Wordpress details on Author capabilities
Fortress Security information
Two factor authentication: Not Enforced
Password reset by email: Works, by email
Session rotation: 20 minutes (generally invisible to you as a user)
Idle/No activity logout: 30 minutes (you will see a Wordpress login covering your screen)
Full logout: 12 hours (you will see a Wordpress login covering your screen)
Contributors
Somebody who can write and manage their own posts but cannot publish them.
Who should be a Contributor?
Contributors would be used in situations where they are writing articles for you, but do not have control on the editorial calendar, and your Editor would review and then schedule the post.
Contributor Capabilities
Add new posts, plus edit or delete only their own authored posts.
Cannot delete content.
Read more: Wordpress details on Contributor capabilities
Fortress Security information
Two factor authentication: Not Enforced
Password reset by email: Works, by email
Session rotation: 20 minutes (generally invisible to you as a user)
Idle/No activity logout: 30 minutes (you will see a Wordpress login covering your screen)
Full logout: 12 hours (you will see a Wordpress login covering your screen)
Subscribers
Subscribers are usually your site users, they can do nothing on the site other than manage their own profile.
Who should be a Subscriber?
Your customers and visitors of your site, if a login / registration is required.
Subscribers Capabilities
Manage their profile.
Read more: Wordpress details on Subscriber capabilities
Fortress Security information
Two factor authentication: Not Enforced or Required, we can implement this on your site where required (e.g. an Ecommerce site)
Password reset by email: Works, by email
Session rotation: 20 minutes (generally invisible to you as a user)
Idle/No activity logout: 30 minutes (you will see a Wordpress login covering your screen)
Full logout: 12 hours (you will see a Wordpress login covering your screen)
The Wordpress Login Modal
When you see this overlaying your page, you have either been idle on the site without interaction, or your absolute timeout has been reached. Simply login and you can continue your work.