Manage Users to Improve Your WordPress Website's Security
To improve security, apply the concept of Least Privilege to your WordPress Dashboard, but also to your website host control panels and server transfer protocols. Give someone the required privileges for as long as they need it to perform their job or a task. If a task is completed then reduce the privileges at the completion of the task.
Generate secure passwords
Password management is perhaps the simplest of tasks, yet it’s the Achilles heel of all applications, including both desktop and web-based apps. You can keep your files and data on your web server safe and secure through these simple password-management techniques:
Length: Create passwords that are more than 15 characters — this makes it more difficult for harmful users to guess your password.
Uniqueness: Don’t use the same passwords across all services. If someone does discover the password for one of your applications or services, he won’t be able to use it to log in to another application or service that you manage.
Complexity: A strong password contains a minimum of 8 characters and is made up of upper- and lowercase letters, numbers, and symbols, which makes any password hard to guess.
Limit built-in WordPress user roles
Not all users of your website need administrator privileges. WordPress gives you five user roles to choose from, and those roles provide sufficient flexibility for your websites.
You can discover more information on users and roles in the WordPress.org codex.
Create a separate account with a lower role (such as Author) and use that account for everyday posting. Reserve the Administrator account purely for administration of your website.
Establish WordPress user accountability
The use of generic accounts should be the last thing you ever consider because the more generic accounts you have, the greater your risk of being compromised. If a compromise does happen, you want to have full accountability for all users and be able to quickly answer questions like these:
Who was logged in?
Who made what changes?
What did the users do while logged in?
Generic accounts preclude you from doing appropriate incident handling in the event of a compromise.