SOP: Adding & Managing Users in WordPress
1. Purpose
To standardize how users are created, assigned roles, and granted secure access to WordPress websites across staging and production environments.
2. Scope
Applies to:
New website builds (staging environments)
Live (production) websites
Internal team members
Clients and stakeholders
3. Roles & Responsibilities
Project Manager / Account Manager
Determines appropriate user role
Communicates access details to client
Developer / Admin
Creates users
Assigns roles
Handles password resets and secure delivery
4. Tools Required
WordPress Admin Dashboard (/wp-admin)
Secure messaging tool https://agency.britecode.io/private-link/
5. Procedure
A. Adding a New User (Standard Process)
Log into WordPress Admin
Navigate to:
Users → All Users → Add New
Fill in user details:
Username: Use the user’s email address
Email: Same as username (to avoid confusion)
First Name / Last Name: Required for clarity
Generate password:
Click Generate Password
Do NOT manually create unless necessary
Assign role (see Role Guidelines below)
Ensure the following is checked:
✅ “Send the new user an email about their account”
Click Add New User
Result:
User receives an email prompting them to set their own password.
B. Role Assignment Guidelines
Assign roles based on responsibilities:
Administrator
Client (default)
Full access to site
Shop Manager (WooCommerce)
Order management
Product updates
Author
Blog/content creation only
Custom / Limited Roles
Use when applicable for restricted access
C. Password Reset (Standard Method)
Use when:
User forgot password
Existing user needs access
Steps:
Go to: Users → All Users
Locate the user
Click:
Edit → Send Password Reset
OR
Use “Send Reset Link” option
Result:
User receives email to reset password.
D. Password Reset (Manual / Fallback Method)
Use ONLY when:
User is not receiving emails
Email delivery issues exist
Steps:
Go to: Users → Edit User
Set a new password manually
Copy:
Admin URL (/wp-admin)
Username (email)
Password
E. Secure Credential Delivery
⚠️ Never send credentials in plain text email or Slack.
Steps:
Use secure messaging tool https://agency.britecode.io/private-link/
Format message clearly:
Admin URL: [site.com/wp-admin] Username: [user email] Password: [generated password]
Set expiration:
7 days
Generate encrypted link https://agency.britecode.io/private-link/
Send to client with instructions
Message:
Hi (CUSTOMER NAME),
Your website access is ready.
For security purposes, your login credentials are stored in an encrypted link. Please use the link below to securely view your details:
[Insert Secure Link Here] >> Should look something like this >> https://agency.britecode.io/secret/?id=T0po9Tyv4CvDpHcOe100Cl5XFEYKHgVN
Once you log in, we recommend updating your password to something personal and secure.
If you have any trouble accessing your account or need anything else, just let me know. Happy to help.
6. Security Best Practices
Always use encrypted delivery for credentials
Default to password reset emails when possible
Avoid storing or reusing passwords
Use expiration links (7 days standard)
Encourage clients to change password after first login
7. Common Scenarios
New Build (Staging)
Create user manually
Send access via email OR secure link
Typically assign Administrator
Production Access
Prefer reset link
Use manual method only if email fails
Client Not Receiving Emails
Set password manually
Send via secure encrypted link
8. QA Checklist
Before sending access:
✅ Username = email (no confusion)
✅ Correct role assigned
✅ Email notification enabled OR secure link created
✅ Admin URL included
✅ Expiration set (if manual credentials)
9. Risks & Notes
Sending credentials insecurely = security risk
Wrong role assignment = potential site damage
Email delivery issues may require fallback method
Staging vs production URLs must be clearly labeled