This blog post explains the principle of least privilege (POLP) and different user roles in WordPress.
Maintaining a high level of security is an essential part of running a successful WordPress website. Failure to do so may lead to your website being hacked — causing immense damage to your business’s reputation and potentially resulting in lost revenue.
One key component of WordPress security that is often overlooked is user privileges. Privileges are the features that each WordPress user has access to. Accidentally giving low-level users access to the wrong rights can lead to a breach of security or data loss.
The best way to ensure your WordPress privileges are correct is to apply the Principle of Least Privilege (POLP). It is a security principle that is used to make sure that users do not gain access to any functionality that they do not absolutely require.
This guide will take a closer look at how you can apply this principle to WordPress.
The principle is quite simple. It states that a user must be able to access only the information and resources that are absolutely necessary for a legitimate purpose.
When this principle is applied to user account types (administrator, subscriber, author), it means every kind of user account should only be given the privileges that are essential to perform its intended function.
So if you have created an Author role for people writing blog posts, that role should only allow the user to obtain the privileges necessary to be an Author — including viewing, creating modifying, and deleting their own posts.
It shouldn’t let them have access to other high-level privileges like changing the administrator’s password.
When the principle of least privilege is applied to users, it means that each user should only be assigned the least access possible for the action they need to perform. That means an employee who is going to write blog posts should only be assigned the Author role — not an Administrator role.
The same principle applies to technical matters relating to an application like the permissions of a database user and the application’s file permissions. Users should only have access to the privileges that they absolutely require.
POLP also states that privileges should only be granted for the time the action is necessary. So if you have a guest author who is going to write one blog post for you, remove their Author privileges once they have completed the article. There is no reason why they should retain that role once the action is completed.
The benefits of applying POLP to WordPress include:
Ensuring that users don’t have excessive privileges can help to reduce the risk of attacks from insider threats (disgruntled or malicious employees). They will not have a high level of access so cannot easily delete your blog or steal information.
Applying POLP means that hackers won’t immediately have access to high-level privileges if they manage to hack a user’s account. There is also less risk of users accidentally damaging your web application by clicking the wrong button.
It is simpler to manage users if you have fewer users with high-level privileges. Moving the website and notifying users of the changes that affect them will be easier.
Roles are a handy way to assign privileges to different users. They speed up the process of assigning privileges and prevent users from performing actions they should not have access to. WordPress comes with six predefined roles, with a predefined set of rights (privileges). They include:
The administrator is the role assigned to the person who installs WordPress. They are granted every privilege and can perform any action.
Administrators can add or remove users, add or remove content, upgrade the blog, change themes, install or remove plugins, moderate comments, and much more.
Super administrators only exist in WordPress multisite installations — where a single WordPress installation is used to run many separate websites.
They have the ability to add or remove administrators, add or remove blogs, rename the network of sites, and change the themes or plugins that administrators can use.
The Editor has a content manager role on WordPress websites. They have the ability to write, edit, and delete posts written by other users.
They can also write, edit, and delete comments written by other people, change categories, read private posts and messages, manage tags, and create custom taxonomies.
The main limitation of the Editor role is that they cannot alter site settings, user roles, themes, and plugins. Because Editors can delete any post on the website, this role should only be given to highly trusted individuals.
An Author has a content creator role on WordPress websites. They can upload files, write, edit, publish and delete their own articles.
They can also change the details in their user account, including their name, avatar, biography, and password. They cannot edit other user’s posts and do not have access to higher-level administration functionality.
A Contributor is similar to an author. The critical difference is that they cannot delete their own posts after they have been published. This is a useful role because it prevents disgruntled employees from deleting their work if they are fired.
The subscriber role has very limited capabilities. They are only allowed to create and modify their personal profile and leave comments.
The primary purpose of this role is to make it easier for users to leave comments as they don’t have to sign in all of the time.
One common mistake made by website owners is to give everyone the administrator role. They may see it as the easiest way to let everyone get their work done. Unfortunately, this makes it possible for a disgruntled employee to damage the site and makes the hacking of user accounts much more dangerous.
It also means that users can cause much more damage if they make a mistake in the administration section. Apply POLP by assigning each user with a WordPress role that is appropriate for the kinds of work they will be performing.
POLP principles should also be applied to the database permissions given to the WordPress application itself. Once installed, WordPress should only need the ability to read, write, update, and delete data from the database.
The WordPress database user does not need the permission to add database users, drop databases, change the WordPress database structure and so on.
Here is an article that specifies the privileges needed by the WordPress database user.
The server permissions relating to WordPress files and directories should also be restricted. This is achieved at the server level. It prevents certain types of malicious attacks including malicious file inclusions.
WordPress has created a guide on hardening WordPress, which includes information on the correct file permissions.
There may be situations where you require multiple administrators with a high level of access. However, the person who founded the site may still need to limit access to the sensitive data and functionality found in plugins.
Fortunately, plugins that use sensitive data can usually be configured to exclude specific users, including administrators.
Most WordPress websites are set up with File Transfer Protocol (FTP) access. This allows users to upload files directly to the server.
FTP supports user roles so you can exclude users from uploading to specific directories in compliance with POLP.