How many WordPress administrator accounts should your site really have

The right number of WordPress administrators is not 'as many as is convenient' but 'as few as possible'. Every additional admin account is a potential entry point for attackers, and whenever something goes wrong in security, admins are the first people you need to investigate. This check fires when the audit detects more administrator accounts than the typical team size warrants.

Why this matters

A single compromised admin means a fully compromised site. WordPress has no internal mechanism that stops an administrator from installing a plugin with a backdoor, creating a hidden user, or deleting all content. The more admins you have, the higher the chance that one of them will use a weak password, fall for a phishing email, or sign in from a compromised device. Do the math: if each account carries roughly a 1.5% annual chance of being compromised, a site with eight admins has a combined yearly probability close to 12% of being breached through one of them - eight times the risk of a single admin. Incident reports from 2024 show that 43% of WordPress site breaches began with a leaked credential from an internal user, not with code vulnerabilities.

How to detect

The RankPlus audit counts every user with the administrator role (including super admins on multisite) and flags counts above three. Manually: go to Dashboard > Users, filter by Administrator, and count. Look at the Posts column too - admins who have never published anything are likely candidates for a role downgrade, because they probably do not actually need that level of access. Also check the registration date of each admin: an account created at an odd hour or that you do not recognize is a possible breach indicator and should be handled under the 'Recently created admins' check.

How to fix

1. List every administrator. For each one ask: do they edit plugins, swap themes, or change security settings?
2. If not, downgrade them to Editor (can edit any post but cannot touch code) or Author (only their own posts).
3. On the Users screen click the username > Edit > change Role to Editor or Author > Update.
4. For ex-employees, delete the account outright and reassign their posts to another active user.
5. For external developers needing temporary access, create a dedicated admin account for them and revoke it the moment the project ends.
6. Enable two-factor authentication for every admin that remains. It is the strongest protection if a password ever leaks.

Common mistakes

Do not share a single admin account across multiple people. Without an individual account per employee you cannot tell who changed what when something breaks, and you cannot revoke access when someone leaves without rotating the password for the whole team. Do not downgrade your only admin before you have verified another admin account works - you will lock yourself out. Do not assume a subscriber role is harmless: if any installed plugin has a privilege escalation vulnerability, that subscriber can become an admin in seconds.

Verifying the fix

Re-run the audit - the check should turn green. Manually: on the Users screen the Administrator filter should now list only the accounts you decided are essential. Confirm that every user you downgraded can still do their job. If a content editor needs to change a plugin, they will ask you, and that is exactly the workflow you want.