Creating Safe WordPress Admin Accounts for New Team Members

Learn how to safely create, configure, and hand off WordPress admin accounts for new team members without weakening your site’s security.

Why Safe Admin Accounts Matter

When you add a new administrator to your WordPress site, you’re effectively handing them the keys to the entire website. A rushed or informal setup (like sharing a single login) makes it easier for attackers to guess passwords, reuse stolen credentials, or abuse access if someone leaves the team unexpectedly. Strong, unique accounts with the right settings dramatically reduce those risks while keeping your workflow smooth.Source

Before You Add a New Admin

1. Confirm They Really Need Administrator Access

Only give Administrator access to people who truly need full control (settings, plugins, users, etc.). Many collaborators can safely work as Editors or Authors instead. WordPress roles are designed so each role has specific capabilities and limits, which helps you follow the principle of least privilege.Source

• Administrator: Full control over the site, including plugins, themes, and users.
• Editor: Manage and publish any content, but not site-wide settings.
• Author: Write and publish their own posts.
• Contributor: Write drafts, but cannot publish.
• Subscriber: Read content and manage their profile.

2. Decide on a Naming Pattern

Use professional, individual accounts instead of shared logins like admin or office. A simple pattern keeps things clear:

• first.last (e.g., alex.smith)
• first-initial-lastname (e.g., asmith)

This makes it easier to audit activity and disable the right account if someone leaves.

3. Prepare a Strong Password and 2FA Plan

Plan to use a long, unique password (or passphrase) for each new admin account. Modern guidance emphasizes length (15+ characters) and uniqueness over frequent password changes. Password managers and passphrases make this easier to manage in practice.Source

• Aim for at least 15–16 characters.
• Use a mix of words or random characters that are not reused on any other account.
• Plan to store it in a reputable password manager, not in email or chat history.

Step-by-Step: Create a New Admin Account

1. Log In as an Existing Administrator

Sign in using your own administrator account. Never create new admins from a lower role.

2. Open the Add New User Screen

In your WordPress dashboard:

• Go to Dashboard ? Users ? Add New.

This screen lets you create a new user with a specific role and login details.Source

3. Fill In the User Details Safely

• Username (required): Use your agreed naming pattern (for example, alex.smith). Avoid generic names like admin or test.
• Email (required): Enter their work email address, not a shared inbox.
• First Name / Last Name: Fill these in so you can easily identify the user later.
• Website (optional): You can leave this blank unless you have a reason to use it.

4. Generate and Check the Password

In the Password section:

• Click Generate Password to let WordPress create a strong random password.
• Optionally replace it with a long passphrase that your password manager generates.
• Make sure the strength indicator shows Strong before you continue.

Do not reuse a password from any other system. Long, random, unique passwords are much harder for attackers to guess or crack, especially in brute-force and credential-stuffing attacks.Source

5. Choose the Correct Role

In the Role dropdown:

• Select Administrator only if this person truly needs full access.
• Otherwise, choose Editor or another lower role that matches their responsibilities.

You can always raise their role later if needed; lowering risk up front is easier than cleaning up after a mistake.

6. Decide How to Deliver the Credentials

Below the password field, you may see an option like Send the new user an email about their account. Even if you use this, avoid sending the actual password in plain text over email or chat whenever possible.

Safer options include:

• Share a one-time password through your password manager’s secure sharing feature.
• Provide a temporary password and require them to change it immediately after first login.

7. Click “Add New User”

When everything looks correct, click Add New User. WordPress will save the account and, if enabled, send a notification email to the new admin.

What You Should See

• A success message at the top of the screen confirming the user was created.
• On Dashboard ? Users ? All Users, the new account should appear with the correct username, name, email, and role.
• If you log out and log in as the new user, you should see full admin menus (for Administrators) or a limited set (for Editors and below).

After Creation: Secure the New Admin Account

1. Require a Password Manager

Encourage or require your admins to store their credentials in a reputable password manager. This makes it realistic to maintain long, random, unique passwords for every account and reduces the temptation to reuse weak passwords.Source

2. Enable Two-Factor Authentication (2FA)

If your site uses a security plugin or service that supports 2FA, walk the new admin through setting it up right away. App-based or hardware-key 2FA is significantly stronger than passwords alone and helps protect accounts even if a password is stolen.Source

• Install and configure your chosen 2FA plugin (if Compass Production hasn’t already).
• Have the user scan the QR code with an authenticator app.
• Test logging out and back in using their new 2FA code.

3. Verify Contact and Recovery Details

Ask the new admin to check their profile under Users ? Profile:

• Confirm their email address is correct and monitored.
• Update their display name to something recognizable (e.g., full name).
• Review any notification or profile settings your site relies on.

Ongoing Hygiene for Admin Accounts

1. Review Admins Regularly

At least quarterly, review Users ? All Users and confirm:

• Every Administrator is still active and needs that level of access.
• Former staff or vendors have had their accounts removed or downgraded.
• No generic or unknown admin usernames exist.

2. Offboard Safely When Someone Leaves

When a team member with admin access leaves your organization:

• Immediately change their role to Subscriber or delete the account and reassign their content.
• Review any integrations, API keys, or external tools they had access to.
• Update any shared secrets or passwords they might have known.

3. Avoid Shared Admin Logins

Each person should have their own account. Shared logins make it impossible to see who did what, and they encourage unsafe practices like emailing passwords around. If multiple people need admin access, create separate accounts for each of them.

How Compass Production Fits Into This

During your project, Compass Production will typically maintain a secure technical admin account for build and maintenance work. We’ll help you:

• Decide who truly needs Administrator vs. Editor access.
• Set up accounts following the steps above.
• Configure 2FA and password practices that match your organization’s policies.

Handled this way, adding new WordPress admins becomes a safe, repeatable process instead of a security risk.