Category Archives: website-tips

7 Tips for Setting WordPress User Roles

First, a brief introduction to WordPress user roles. There are 5 basic user roles on WordPress. Here’s a very basic breakdown of what each role has access to:

Administrator – Has access to all administrative options and features.
Editor – Can add/edit/delete posts.
Author – Can add/edit/delete their own posts, but not the posts of others. Can upload media.
Contributor – Can write and edit posts and submit them for review. Cannot publish posts and cannot upload media.
Subscriber – Can change their own profile and leave comments, but generally has no other capabilities.

7 Tips for Setting WordPress User Roles

Here are my top 7 tips for setting WordPress user roles for your website.

  1. There must always be at least one admin user. When WordPress is installed, an admin account will be automatically created through the installation process.
    Do not use a user name like ‘admin’ or ‘user’ or ‘wordpress’ for the sake of keeping your website secure. You should use a strong user name, and even stronger password. I like to use to generate a password, and I add in a few random special characters to make it even stronger. Don’t use your birthday or your dog’s name. Read my article about choosing a secure password you can actually remember.
  2. Use your admin account for admin tasks only! Set up a separate editor account for writing posts and pages if you’ll be doing some of your own writing.
  3. Beware of too many chefs. Keep the number of admins as low as possible. If you are the site owner, you may want to limit your site to 2 admin roles – one for you, and one for your webmaster.
  4. When adding a new writer to your staff, start them out as a Contributor and have a more seasoned editor reviewing their content before posting.
  5. Be aware that editors can publish pages and posts, so only hand out this role when you trust the content a user is writing is going to represent your business well. Graduate your writers from Contributor to Author. Only your top writers should be Editors.
  6. Grant non-technical support staff the level of Editor as the highest level of access.
  7. Remember that admins have equal power over your website, and even the best intentioned people, when inexperienced, can cause harm to your site. Think of your admin account like the keys to your office.

I hope these tips have helped you to better understand WordPress user roles, and have given you some helpful tips on how to most effectively set user roles on your WordPress website.

Questions? Leave a comment or drop me a note to let me know how I can help.

Is my Password Strong Enough?

Username: admin
Password: admin

You know that’s really not bright, but why? First, I’ll answer the question –

Why do I need a strong password? 

It may not be obvious, but a strong password will help prevent a successful brute force attack on your account (whether this is your FTP account or your WordPress website).

“(A brute force attack) consists of systematically checking all possible keys or passwords until the correct one is found.” (wiki) You’ve seen it in movies, a computer screen cycling through characters one by one until each one is a hit and ‘locks’. This is the basic concept behind

Give it a go, at this Brute Force Space Analysis calculator. Enter admin as a password. This is an accelerated test, with the smallest scenario showing how fast a password could be cracked with 1,000 attempts per second (3.43 hours). Now try a password like adm1n:) and it now estimates a successful crack would take centuries.

You should be aware that this calculator doesn’t tell a complete story. Many brute force attacks are ‘password dictionary’ attacks, meaning a dictionary of common passwords are tried. Admin, 123456, Password are some of the more common (obvious) dictionary passwords.

How do I create a strong password?

The strongest password should be as long as possible (if you’re allowed to use 24 characters, use them), with a minimum of 8 characters. Your password should include numbers and be MiXeDCase (using upper and lower case letters). Most importantly, special characters should be interspersed among numbers and letters.

1Password! is an example of a password that includes all of those recommendations, but is definitely not a strong password, because it’s obviously a commonly recognizable word that begins with a number and ends in a (meaningful) special character. You should avoid common words, and I’d even suggest avoiding the use of the number 1 and the exclamation point.

To create a completely random password, you can use a site like If you’re super careful bordering on paranoid, you can use two or more password generator sites and combine parts of the generated password from each. I can’t guarantee this method will create an easy to remember password, though. For ideas to create a strong password you can remember, check out How to Create a Strong Password You Can Remember.

*Funny note: While writing this blog entry we got an automated notice from our TrekVisual security program to notify us that one of our sites was undergoing a brute force attack. Username they tried? admin

How to Create a Strong Password You Can Remember

Long gone are the days when you could create a password by spelling your name backwards. Or using your numeric birth date.

To create a strong password, many websites now offer a ‘strength meter’ when you choose a password to show you how strong your password is as you create it. Long, meaningless strings of caps and lower case letters mixed with numbers and special characters make an awesome password – but trying remembering it without writing it down can mean lots of wasted time going through the ‘Lost Password’ process to recover and recreate another long, complicated password you won’t remember next time. The cycle continues.

Adding to that complexity, we need passwords for just about everything we do today online – and they should all be different. I haven’t ever actually counted my passwords, but as a rough estimate, I know I have over 300 different passwords.

Kind of reminds me of Susan Powter back in the 90s, yelling “Stop the Insanity!”

Here are some ideas for creating strong passwords you will actually remember.

  • Choose a favorite quote, or passage from a book or poem you love.Add special characters and numbers throughout as they make sense. For this example, I chose the following quote:

    “Know or listen to those who know.”

    You can turn that into a password like this:

    I converted each letter o to the number zero, changed the word ‘to’ to a number two, and added punctuation that I can remember in places that make sense to me. I also attributed the quote at the end with a dash followed by the last name.

  • Use that favorite quote, passage or line from a poem and create an acronym to use as a password:
    Using the example above, the password acronym would be K,0L2Twk-G 
  • Create a sentence that integrates the name or purpose of the website to make it unique

  • Make a tagline for your experience on that particular website and run with it in creating a strong password. For example, if I were creating a password for logging in to my Chase bank account where my house mortgage is held, I might come up with something like:

    S0m3d4y,1w1ll0wn*Ur*House,Chase! (Someday, I will own your house, Chase)

    (Note that some sites won’t let you use certain special characters, like the asterisk)

It doesn’t have to make sense to anyone but you…and better if it doesn’t! Be creative.

Finally, I’m not a big fan of electronic keychains or password collection apps. I recommend keeping your passwords written down in a secure location which doesn’t exist on any electronic device – ie., on paper. I know it’s a bit old-fashioned, but if it’s not anywhere you can access digitally, it’s not anywhere a hacker can access it digitally, either.

WordPress Security Tip: Update Regularly

Just because we look healthy doesn’t mean we are. Someone who looks to be in perfect physical condition can have a number of ‘invisible’ diseases or conditions. Likewise, (bare with me for a tree falling in the forest analogy for a moment), just because nobody sees the dust on the top shelf doesn’t mean it’s not there (as hard as I wish it not be true)! The same can be said for a website. Just because it looks good on the front end, doesn’t mean it is healthy or ‘dust-free’ on the back end. (Who wants a dusty back end, anyway?!)

Question: My website is working perfectly, and I can’t see any problems when I look at it, so why should I concern myself with available updates?

Updates are sometimes released because they include upgrades with new features, but they are often released because of a discovery about a vulnerability in the programming. Often that vulnerability is a security hole that was exploited by some mad genius and his team. As technology evolves, methods to implement and exploit that technology evolves. Maintaining a website is like owning the horse in the lead at the races – followed by hackers and evil geniuses just a neck behind. To stay in the lead, you have to keep your website on it’s “A” game, always. 

Conveniently, when you create a site with TrekVisual, we take care of the tedious updating stuff for you. You’ll not have to worry about having the latest release of anything, because we’re on top of it for you, so you can do the other important stuff, like running your business. Learn more about how our website monthly plan can make it a breeze to keep your site healthy.

Whether it’s your WordPress version, your PHP version or a plugin, you need to be sure your system is kept up to date, or you’re potentially a sitting duck. Don’t have time? Hire someone to do it for you, because the costs for not doing this will eventually catch up with you, and will end up costing more than paying for regular updates in time, money and frustration.

If there’s an update, there’s a reason. Update. Every time.

What’s the difference between a domain name and hosting account?

I find many people confused about the difference between the purchase of a domain name and a hosting account.

TrekVisual’s domain name is, and our website host is LunarPages. I use the following analogy to explain the difference between a domain name and website hosting plan: Your domain name is your web address, like the mailing address to your house. Your hosting plan is the physical location of your website, like the physical house you live in. You can’t have one without the other.

Usually, the first step in creating a new website is purchasing a domain name. That’s the .com address you want your website to have. Domains are purchased from what’s called a ‘registrar’. They’re called a registrar because you are actually registering the right to use that address through them. The domain name is the URL address that will be typed into a browser to access your website.

Your site files (the html, styles, scripts, images, etc. that make up the visual rendering of your website) need to be hosted – that’s what a hosting account is for. You purchase a hosting plan separately from your domain name to use as a storage space for the files that will make your website display in a browser when the domain name, or URL, is typed into the browser address bar.

If you’re having a custom website built by TrekVisual, and will be taking advantage of our website monthly plan that includes hosting, you only need to purchase the domain name, if you want a custom domain name like I recommend GoDaddy for domain name purchases. Namecheap is another site I use occasionally to buy domain names.

If we’re taking care of your hosting, we’ll map the domain for you with your registrar. Otherwise, here’s an article that looks at how to connect you domain name to your hosting account.