Author Archives: Mary

What WordPress Editors can’t do (that Admins can)

I thought it would be helpful to outline what WordPress Editors can’t do that admins can. I see a tendency among our clients to assign the highest user role possible when creating new user accounts to make sure a new staff member can do anything they’ll be needed to do.

In the case of WordPress the highest user role is “Admin” (or “Super Admin” on a Network site). Not only is it unnecessary to use the ‘admin’ role as the go-to user role, but it can put your website at risk. Even users with the best intentions, if not properly trained in WordPress, can make mistakes and cause problems for your website.

I strongly recommend assigning the highest level of Editor to any staff you add as users to your website. I explain a bit more about WordPress user roles in my article, 7 Tips for Setting WordPress User Roles

WordPress functions that Editors can NOT do (but Admin users can)

Network tasks (on a WordPress Multisite install):

  • configure the network,
  • add/remove network sites, users, plugins, themes and options.

Network sub-site or single site tasks:

  • Plugins: install, activate, update, edit, delete
  • Themes: install, switch between themes, delete, edit theme options, edit theme files
  • Users: List users, change user roles, create new users, edit users, delete users
  • Manage site options
  • Update core system
  • Edit the dashboard
  • Import/export posts, pages, etc.

I think you’ll agree with me that these tasks are best in the hands of those more experienced. User Roles within WordPress are fantastic tools when used properly. I encourage you to review the user roles on your WordPress site and reconsider the admin roles, especially.

Questions? We can help. Drop me a note using our contact form

7 Tips for Setting WordPress User Roles

First, a brief introduction to WordPress user roles. There are 5 basic user roles on WordPress. Here’s a very basic breakdown of what each role has access to:

Administrator – Has access to all administrative options and features.
Editor – Can add/edit/delete posts.
Author – Can add/edit/delete their own posts, but not the posts of others. Can upload media.
Contributor – Can write and edit posts and submit them for review. Cannot publish posts and cannot upload media.
Subscriber – Can change their own profile and leave comments, but generally has no other capabilities.

7 Tips for Setting WordPress User Roles

Here are my top 7 tips for setting WordPress user roles for your website.

  1. There must always be at least one admin user. When WordPress is installed, an admin account will be automatically created through the installation process.
    Do not use a user name like ‘admin’ or ‘user’ or ‘wordpress’ for the sake of keeping your website secure. You should use a strong user name, and even stronger password. I like to use random.org/passwords to generate a password, and I add in a few random special characters to make it even stronger. Don’t use your birthday or your dog’s name. Read my article about choosing a secure password you can actually remember.
  2. Use your admin account for admin tasks only! Set up a separate editor account for writing posts and pages if you’ll be doing some of your own writing.
  3. Beware of too many chefs. Keep the number of admins as low as possible. If you are the site owner, you may want to limit your site to 2 admin roles – one for you, and one for your webmaster.
  4. When adding a new writer to your staff, start them out as a Contributor and have a more seasoned editor reviewing their content before posting.
  5. Be aware that editors can publish pages and posts, so only hand out this role when you trust the content a user is writing is going to represent your business well. Graduate your writers from Contributor to Author. Only your top writers should be Editors.
  6. Grant non-technical support staff the level of Editor as the highest level of access.
  7. Remember that admins have equal power over your website, and even the best intentioned people, when inexperienced, can cause harm to your site. Think of your admin account like the keys to your office.

I hope these tips have helped you to better understand WordPress user roles, and have given you some helpful tips on how to most effectively set user roles on your WordPress website.

Questions? Leave a comment or drop me a note to let me know how I can help.

WordPress 4.3 admin menu broken in Chrome – Fix

I recently updated our sites to WordPress 4.3 and started noticing the left nav in the admin was broken on hover. I thought at first it was an issue on my localhost, checked live sites and found it there too. This is what it looks like:

As you hover along the links in the left nav bar, they seem to jump around, disappear and reappear kind of on top of each other.

This is not a WordPress bug at all, but is a known bug in the current version of Google Chrome. (If you follow that link and would like to say ‘me too!’, just click on the star just left of the title ‘Issue 509179’) This should be fixed by the next major release.

In the meantime, you can fix this issue by disabling “Slimming Paint” in your Google Chrome options. To do that copy/paste this into your browser address bar (where you usually type the web address for a website):
chrome://flags/#disable-slimming-paint

Your browser will jump to the section with a highlighted title that says “Disable slimming paint”. The wording is a little confusing because you’re enabling disabling this feature. Just click the link that says ‘enable’ and then restart your browser.

 

Your WordPress admin menu will render normally again.

Heartbleed OpenSSL Bug – List of Affected Sites

The following list shows the current statuses (as of April 10,2014) of sites we felt our clients would be most interested in knowing about. If you have accounts at these sites, it is highly recommended you update your passwords. 

(Learn more about the Heartbleed OpenSSL bug.)

Vulnerability Status key:
Yes – site has at some point been, or is currently, vulnerable
Likely – site was likely vulnerable but cannot be confirmed
Possibly – site may have been vulnerable but cannot be confirmed
No – site was not vulnerable

List of Popular websites and Heartbleed vulnerability status:
Updated April 11 3pm CST

Apple: Not affected
Amazon: Not affected
basecamp: Not affected
Disqus: Yes (now safe)
Doteasy: Likely (now safe)
Dropbox: Yes (now safe)
eBay: Possibly
Etsy: Yes (now safe)
Github: Yes (now safe)
Godaddy: Yes (now safe)
Google: Yes (now safe)
Hotmail: Possibly (now safe)
Intense Debate: Likely (now safe)
istockphoto: Likely
LinkedIn: Not affected
Lunarpages: Yes (now safe)
Marketo: Likely (now safe)
myspace: Possibly
Office Autopilot: Likely (now safe)
Paypal : Not affected
Pinterest: Yes (now safe)
Siasto: Yes (now safe)
Siteground: Yes (now safe)
Slideshare: Not affected
Skype: Likely (now safe)
Twitter: Yes (now safe)

 

More info:

Is there a site you don’t see here but are interested in? Here is a great resource to check out the vulnerability status of any site:
http://filippo.io/Heartbleed/

Here’s a secondary resource, though not one I’m putting a lot of stock in because their testing method just isn’t quite thorough enough to detect the vulnerability.
https://lastpass.com/heartbleed/

 

Action item:
Change passwords for any site that is now safe. Changing passwords at sites that have not yet been patched will be without reason, as they will need to be changed again after the patch has been applied. We will update this list as we get new information. However, sites that cannot be confirmed may never have a status of “Now Safe”. In that case we recommend updating passwords anyway, to be extra diligent – it never hurts to update anyway. Don’t forget about your personal accounts as well (credit cards, bank accounts, etc.)

 

TrekVisual Clients:
We work hard to protect your website’s integrity. We’ll update TrekVisual client data once servers have patched their software, and we’ll notify you of any information you need to be aware of. Please email us with any questions you have.

How Does the “Heartbleed” Open SSL Bug Affect Me?

“Heartbleed” is a newly discovered security bug that affects OpenSSL encryption software across the web. This bug is estimated to have effected about 2/3 of sites on the web that encrypt data.

 

What is SSL encryption?

When you sign in to a secure site, you’ll notice a ‘lock’ icon in your address bar, or the https: (vs http:). That means that the site you’re signing in to uses SSL to secure the transmission of private information like passwords, credit card and account numbers, etc. The software the website uses to run SSL may be OpenSSL. OpenSSL is one of the most widely used SSL software programs today.

 

What does the Heartbleed bug do?

The Heartbeat bug allows an attacker to extract 64k of data from a servers working memory at a given time. The attacker doesn’t know what that 64k will include – but since these attacks are generally run by computer programs that can repeat the process over and over quickly, there’s a great potential for a lot of sensitive data to be compromised.

 

What can I do to protect myself from the Heartbleed bug?

Change your passwords. Creating strong passwords is a good habit to make – read more about how to create strong passwords you can remember. It has been reported that Apple, Google, Microsoft and major banking services have not been affected. It does appear that Yahoo has been targeted, so I advise changing any Yahoo passwords you have. To be diligent, any password you enter on any secure sites you visit should be changed over the next few days. 

Because we’re not sure when websites are patching their software to fix this bug, changing your password prematurely is possible. I recommend changing passwords to your most important secure sites ASAP, and again in about a week to allow for the possibility you may be changing passwords before the website has updated their OpenSSL software to patch the bug.

 

What about my WordPress password?

This is the kind of bug that will not directly affect your WordPress install, but it can potentially trickle down if the server has been compromised. If you’re hosting with TrekVisual, or we’re managing your website, your passwords will be changed over the course of the next week. This should not affect your normal day-to-day operation. We’ll contact you with updates as they happen.