Is it safe to hand over the admin rights?

In short no.

The long answer. As an admin they have complete control of the content and options of the site, and (usually) what code is executed on the server. You can disable plug-in & theme editing/installing:

define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );

(in your wp-config.php) but they can still do ‘damage’ by irrevocably deleting data (backup?).

In your context you seem to what to preserve the user’s ability to “download plugins etc”. In which case you’re explitly allowing them to execute any code they want on your server – they can do this with just access to the theme/plugin editor. If you’ve got multiple installs in sub-directories to the root folder allocated to by your host, then in general those other installs would also be vulnerable.

(If you’re running multi-site, then yes, obviously each site in the network is vulnerable.)

Related Posts:

  1. what is a auth_user_file.txt?
  2. How to view PHP on live site
  3. Is moving wp-config outside the web root really beneficial?
  4. Hide the fact a site is using WordPress?
  5. Verifying that I have fully removed a WordPress hack?
  6. Can I Prevent Enumeration of Usernames?
  7. Best way to eliminate xmlrpc.php?
  8. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  9. Should I remove install.php and install-helper.php?
  10. What is the difference between esc_html filter vs attribute_escape filter?
  11. How do I technically prove that WordPress is secure?
  12. Which KSES should be used and when?
  13. How can I easily verify a core or plugin update has not broken anything?
  14. Disable comment windows for all existing posts (pages/blogposts)
  15. Generate WordPress salt
  16. Vanilla WordPress install, what can/should I put in disable_functions?
  17. Stop wordpress automatically escaping $_POST data
  18. Secure my “add_settings_field” translation?
  19. how can i embed wordpress backend in iframe
  20. Handling nonces for actions from guests to logged-in users
  21. WordPress Logout Only If User Click Logout or If User Delete Browser History
  22. Can I force a password change?
  23. wp_insert_post disable HTML filter
  24. What is pclzip.lib.php file that wordfence think it’s a malicious code
  25. How to disable XML-RPC from Linux command-line in a total way?
  26. How to remove javascript malware in wordpress site [closed]
  27. Completely remove the author url
  28. Securing my WordPress Files and Directories
  29. Restricting access to content
  30. About WordPress site security
  31. Single sign-on: wp_authenticate_user vs wp_authenticate
  32. How to allow internal links using wp_kses filtration
  33. How does Cross Site Scripting (XSS) work exactly? [closed]
  34. Relative security of different releases of WordPress
  35. How does the “authentication unique keys and salts” feature work?
  36. vs WordPress Security
  37. esc_html__ security : what for in this example?
  38. wp-config.php being written by attacker
  39. Definitive wordpress directory ownership and permissions on linux
  40. XML-RPC errors they know my username?
  41. Is [admin / admin] acceptable for all local websites?
  42. Simple Online Payment for Event Registration [closed]
  43. What may be causing failure of auto-install features in WordPress (v3.0.3)?
  44. Client side HTTP parameter pollution (reflected)
  45. Local file inclusion critical security issue [closed]
  46. Malware script in database post table only? [closed]
  47. Best practices to assert current_user_can() with guests
  48. wordpress website host price and security [closed]
  49. XMLRPC slow and weird websites/services
  50. Are there security risks in working directly in the themes folder that builds into a theme folder?
  51. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  52. Secure WordPress: Change admin
  53. Changing the default header name
  54. how much information can we hide when using wordpress cms?
  55. Wordfence detects change in wp-admin/includes/upgrade.php
  56. Basic password protection without using users and roles
  57. System setting changed by system user
  58. Does meta-data need to be sanitized?
  59. Will there be security updates for WordPress 4.9.9
  60. On new server, site got hacked, permissions a bit strange? Please help
  61. 404/500 error on content images if Referer header is from another domain [closed]
  62. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  63. Restrict Access without Creating Users
  64. Switching between security plugins is a risk?
  65. How to obfuscate wp-config.php or code
  66. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  67. How to prevent to direct access of my custom plugin folder/files
  68. Checking for origin of a xmlrpc request
  69. RESTRICT EDIT of PHP files?
  70. wp-content – permissions for files/folders created by apache
  71. How can I restrict access to specific parts of a page, not just the page itself?
  72. User generated content and security
  73. Are major WordPress updates mandatory for security?
  74. i moved wp-config.php outside of public html and this broke my website
  75. Monitor wordpress all external calls
  76. Is it safe to use the basic administration with reduced rights for private member space
  77. Securing WordPress running on Azure platform
  78. Verifying that I have fully removed a WordPress hack?
  79. Spam Registrations
  80. How can I have more confidence that WP plugins aren’t getting and storing user data?
  81. Standard Method for Securing a WordPress Site
  82. wordpress security (only one part of the site)
  83. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  84. Any way to disable /wp-login.php redirecting to the site folder?
  85. Folder Permissions + Security Concerns
  86. Malware/Permission bug removal?
  87. Could a user account with a stolen password compromised entire WP site?
  88. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  89. Secure a WordPress website in 2019: one plugin or a combinations of them?
  90. What are the different types of firewall protections available for a WordPress website?
  91. Run a security scan on WordPress site that has .htaccess password [closed]
  92. Is this a WordPress security bug?
  93. Competitor is somehow accessing MetaData on a hidden WordPress site
  94. WordPress Hacks/Defacing [closed]
  95. checking the form submit in right order
  96. Our security auditor is an idiot. How do I give him the information he wants?
  97. SSH keypair generation: RSA or DSA?
  98. How do I protect my company from my IT guy? [closed]
  99. Does changing default port number actually increase security? [closed]
  100. WordPress – tracking options
techhipbettruvabetnorabahisbahis forumutaraftarium24edusedusedueduedueduseduedueduedu