What to do about Inactive WordPress Accounts

[Update: Shield Security 7.4 with these features is now out!]

Have you ever faced the dilemma of deleting inactive WordPress users from your sites, and the wonder what you might be breaking in doing so?

Certain cases call for accounts to be entirely deleted, and some times this simply isn’t appropriate.

What if you could just “suspend” unused accounts with the option to reactivate them later?

The problem: unused WordPress accounts represent a risk

Shield Security has had tools in area of user account management for a long time. These have focused around controlling user sessions, setting timeouts, and restricting account sharing.

This is great for protecting sessions, but what about the user accounts themselves?

Nearly all professional WordPress sites will have users that turn-up and then later disappear, perhaps never to return.

These accounts provide a gateway to a deeper level of access to our sites than simple site visitors, and so represent a risk when they’re abandoned.

Ideally they’d be deleted, but sometimes this isn’t practical.

The Case of Retired Authors

Imagine a multi-author blog where you want to keep the individual authors, their work, and their attribution, but the author may no longer be active on the site.

Sure, you can set a super long password and a random email address, but you haven’t actually prevented account access.

What if you could keep the account on your site, but block future logins to that account entirely?

The Case of Authenticated WordPress Vulnerabilities

There are many WordPress vulnerabilities that can only be exploited by authenticated users. Unused and forgotten user accounts across your entire portfolio of WordPress sites are doors to your site that are never quite shut.

What if after a certain length of time, unused accounts become suspended and require a password reset to reactivate? This would help reduce the risk of hijacking unused user accounts.

The Case of Pwned Passwords

Similar to the scenario above, an idle account that used a compromised password several years ago is an omnipresent risk to your site.

As above, what if these users could be automatically suspended without your manual intervention, and may only be reactivated with a manual password reset?

The Case of Temporary Admins

Oftentimes when we’re delivering support to clients, we’ll ask for temporary admin access to the site. Providing temporary admin access is a common scenario for all of us, and there’s a bit of work setting up these accounts, each time.

What if you could set it up once, then put the account on ice until you need to open up access again?

What options do you have for disabling WordPress user accounts?

Until now, there’s been no way to have a WordPress user account on your site, but have it disabled. It’s either all on, or all off. There’s no in-between.

Your only real option is to delete accounts that are unused.

But as we’ve discussed, this isn’t always the most practical choice. And for sites with huge numbers of users, and where you might have a large portfolio, this is yet another job that you’re unlikely to find the time for.

What you need is a solution that is flexible to let you pick accounts to suspend, and one that will automatically work in the background to disable accounts that have gone unused for too long.

Solution: Shield Security User Suspension Feature

Shield Security Pro released a feature that allows administrators to manually and automatically suspend any user account. This feature is available from within the main Config menu > Users > User Suspension.

Manual WordPress User Suspension

Any account that is “suspended” by the admin will never be able to log into the site (until they’re unsuspended).

When a suspended user tries to login, they’ll be told the account is suspended and they’ll be directed to contact the site administrator.

This user experience is preferable to the alternative where the user has no clue and must go through the whole process of logging in, failing, resetting passwords, only to later discover their account information has been permanently removed.

Automatic WordPress User Suspension

While providing the ability to manually suspend users is a great step forward, it’s not a complete solution.

True power comes from having the ability to automatically suspend user accounts based on certain criteria.

More specifically, the criteria we’re providing with Shield are:

• expired passwords
• idle account (i.e. no login or password reset for an extended period)
• custom user role – i.e. you select which user roles are subject to auto-suspension

If a user hasn’t logged-in (or reset their password) for, say, 1 year, you might consider that account inactive. Instead of leaving that account open on your site, Shield will automatically suspend it and prompt the user to reset their password (and thereby reactivate their account).

When is the suspension feature available?

Shield Security Pro 7.4 was released in mid-June, 2019. If you have any questions about this feature at any time, please let us know in the comments below.