Users & Access
Who can do what in wp-admin — accounts, roles, login protection and offboarding.
What someone can do in wp-admin is set by their WordPress role. Access is least-privilege: people get the role that matches their job, nothing more.
Getting an account
An administrator creates accounts in Users → Add New and assigns a role. To request access for a new editor, or a role change, contact the developer or a site administrator (see Contacts).
Roles
WHA uses WordPress's standard roles. The ones that matter for the content team:
| Role | Use it for | Can |
|---|---|---|
| Editor | Content editors and marketers | Create, edit and publish all content; manage media |
| Author | Limited contributors | Create and publish their own posts only |
| Administrator | Site management | Everything, including users and settings |
Give content editors Editor, not Administrator. Reserve Administrator for the few people who manage the site itself.
Even administrators can't edit theme or plugin code from wp-admin — in-admin file editing and plugin installs are disabled site-wide. Code changes go through version control. See Editing Basics.
Login and security
- wp-admin is at
/wp/wp-admin/and login at/wp/wp-login.php(note the/wp/prefix). - The login page is protected at the edge by a Cloudflare Managed Challenge, and public forms by Turnstile. Application hardening and IP controls add another layer. See Security.
- Use a strong, unique password for every account. If you want an extra factor (2FA), it can be added at the WordPress level — ask the developer.
Switching users
The User Switching plugin lets an administrator temporarily become another user to reproduce an issue or check what a given role sees, then switch back. It's a support and QA tool, not a way to share accounts — everyone who works in the site should have their own login.
Visitor roles are different
The patient/provider roles in the protected-content system gate what site visitors see on the front end. They're unrelated to wp-admin access: a visitor role never grants editing rights.
Offboarding
When someone leaves or changes jobs, downgrade or remove their account promptly. WordPress will offer to reassign their content to another user when you delete the account — do that rather than losing the posts.