Caveat Administrator

Summary — A WordPress Admin account can be used to do anything to a site, including damaging it. Depending on what happens, recovery may prove difficult, time-consuming, or impossible. In such cases, down-time and damage to reputation, including search engine rank, is likely.

The desire: to update menus

The way WordPress handles user accounts doesn’t line up with some expectations. There are basic functions that website owners often want to access without having to go through an intermediary like an Administrator. The most common being able to update their site’s menu. This functionality is only available to Administrators, and adding someone to the loop — especially someone outside their organization — can be inconvenient.

Fair enough.

While this specific feature comes with limited, non-technical risks, such as making a site that’s a little too similar to your org chart — a common practice that may not serve your primary audience or your business goals the way you hope — it’s unlikely to be an outright, overnight catastrophe.

The risk: an Admin user can inflict serious (if unintentional) damage

Once a user has been promoted to Admin, they aren’t limited just to editing the menus, though. They can also:

post content as Admin
this seems fairly innocuous — and it’s easy to do accidentally — but it can make password-guessing much easier if an Admin username is exposed.
install software updates
risky without understanding the ramifications or knowing how to reverse the process
add new software
adding plug-ins or themes — common vectors for malware or spam links — can damage reputation and search engine rankings long-term. Issues may be too subtle to notice immediately, potentially rendering months of backups useless
misconfigure security
it’s easy to over-prioritize convenience at the expense of security
weaken passwords
weak passwords put your site at serious risk, and the more important the account, the greater the risk; if the account is compromised, damage or hijacking of site resources is often subtle (to evade detection); this can render months of backups worthless
lock themselves out
it’s possible to lock oneself — and other administrators — out of WordPress, which makes getting it back up and running smoothly challenging
slow down the site
misconfiguration can damage customer experience and search engine ranking; these are not quick or easy to reverse
edit Theme or CSS
changes to Templates (.php files) or stylesheets (.css files) can break page layout or completely block content rendering, resulting in blank pages site-wide that can be challenging & time-consuming to fix.
create Admin accounts
Admin users have power over other user accounts, including the power to promote accounts to Admin, or downgrade current Admin users.

  • Handing out Admin accounts to people who really only need Editor-, Contributor-, or Author-level accounts is a really bad idea. Admin users can edit or delete anything — including other users’ published content, other users’ accounts, core WordPress files, themes, essential plug-ins, everything.
  • Every employer/employee relationship is happy at the start, but if and when things end — especially if they end poorly — the damage anyone can inflict should be limited. You can have convenience or security: not both.

Is this fear-mongering? A little, yeah

This list is not exhaustive and, yes, it is meant to scare you a little. The risks outlined here are real. Google them.

You wouldn’t hand a chainsaw to a novice without graphic, detailed warning of the risks they’re taking on. That doesn’t mean no one can use a chainsaw — but warnings are better than paramedics.

Please note: if it’s necessary to make emergency repairs to your website, you will be charged rush production rates — 1.5 × the standard, hourly rate — whether or not those efforts are successful.

Understanding the risks

All that said… it’s your website (not mine). I’m here to help you make an informed decision and offer the best support I can and, if an Admin account really is just used to update a site’s menus, it will be fine. But now you now know the scope of the risks.