There are a handful of reasons you’d want to (or need to) remove WordPress users from your site. Unfortunately, at tiny blue orange, we’ve been asked to fix issues after a user was improperly removed …or not removed in time. Why not skip that annoyance for your business?
Scan your user list, for security
So what exactly are the reasons that you’d want to remove WordPress users? The first one that most business owners or bloggers list is because you no longer want that user to have access. No matter the reason, they are no longer a part of the team + their access needs to be revoked. It’s a great reason, but not my number one.
We’ve dealt with a number of sites who had users in their user list that they didn’t create. That means someone gained access to their site or their database + created their own account will full permissions. Let’s call that what it is — a security breach. Which is why it’s a great idea to scan your user list once in a while. Call it spring cleaning as long as you do it every season.
Some smaller reasons for removing users would be removing a customer who asked for a refund / stopped paying their membership, changing a username to be more secure, ditching some of those test accounts you created while working through the checkout process. (That last one is a big one for tiny blue orange before we launch a new site.)
The proper way to remove WordPress users
Whatever the reason, WordPress makes it really easy to remove access to your site, which is good news + bad news. Because it’s so easy, folks often miss one critical step that creates frustration down the road.
- Log into your WordPress site
- Go to Users > All Users in the left-hand menu
- Hover over the name of the user you want to delete + click Delete
- Either “Delete all content.” knowing you can’t recover what this user is connected to OR “Attribute all content to:” another account
- Click Confirm Deletion + you’re done
Why is step 4 in this process so controversial?
So many site owners assume that the user isn’t tied to content that they need or care about. They’ll end up deleting blog posts, pages, or the one that I see most often — media.
It’s not uncommon to use a company or contractor for a limited period of time. That person might upload graphics to your site or copy + paste content that you’ve written in Google Docs. When you remove their content, you delete it fully. There’s no trash can for you to pull it out of.
Want to know a really easy way to avoid learning about these issues after the fact? Use a hosting company that backs your site up every single day + stores that backup separate from your website. That way, hackers who create their own admin users on your site won’t have access to the backup files.