WHA Docs
Content

Users & Access

Who can do what in wp-admin — accounts, roles, login protection and offboarding.

What someone can do in wp-admin is set by their WordPress role. Access is least-privilege: people get the role that matches their job, nothing more.

Getting an account

An administrator creates accounts in Users → Add New and assigns a role. To request access for a new editor, or a role change, contact the developer or a site administrator (see Contacts).

Roles

WHA uses WordPress's standard roles. The ones that matter for the content team:

RoleUse it forCan
EditorContent editors and marketersCreate, edit and publish all content; manage media
AuthorLimited contributorsCreate and publish their own posts only
AdministratorSite managementEverything, including users and settings

Give content editors Editor, not Administrator. Reserve Administrator for the few people who manage the site itself.

Even administrators can't edit theme or plugin code from wp-admin — in-admin file editing and plugin installs are disabled site-wide. Code changes go through version control. See Editing Basics.

Login and security

  • wp-admin is at /wp/wp-admin/ and login at /wp/wp-login.php (note the /wp/ prefix).
  • The login page is protected at the edge by a Cloudflare Managed Challenge, and public forms by Turnstile. Application hardening and IP controls add another layer. See Security.
  • Use a strong, unique password for every account. If you want an extra factor (2FA), it can be added at the WordPress level — ask the developer.

Switching users

The User Switching plugin lets an administrator temporarily become another user to reproduce an issue or check what a given role sees, then switch back. It's a support and QA tool, not a way to share accounts — everyone who works in the site should have their own login.

Visitor roles are different

The patient/provider roles in the protected-content system gate what site visitors see on the front end. They're unrelated to wp-admin access: a visitor role never grants editing rights.

Offboarding

When someone leaves or changes jobs, downgrade or remove their account promptly. WordPress will offer to reassign their content to another user when you delete the account — do that rather than losing the posts.

On this page