This post will cover what to do with spam WordPress users, but also users that you simply don’t recognize. Most of the time they are junk accounts that were made due to a security vulnerability. However, there are a few instances where those accounts aren’t bad news for your business. Here’s what to do with them instead.
How to check for spam WordPress users
Whenever you log into WordPress, it’s a great idea to scan your users list. The most important type to review would be Administrators. If you have the time, scanning Editors + Authors is beneficial to do once a month or quarter. Head to Users > All Users + look the names over. For membership sites, use the links at the top to view only Admins, Editors + Authors individually.
What you might find
If everyone in that list is someone that should have access with the level assigned to them, great! You are done + can move on to whatever task you were going to tackle.
If you come across someone that was previously allowed access to your site, but you don’t want them to have access anymore, it’s time to clear them out… the right way. It’s really important to remove WordPress users with these steps so that you don’t accidentally remove content they’ve added. I’ve seen many sites with broken images + missing blog posts because of this.
And if you come across someone you don’t know, it’s time to investigate. But before that, you need to protect your WordPress site from further harm.
Protect your site from bad users
Before you leave your site to figure out who or why this account exists, first change their access level. Click Edit right under the username + select “Subscriber” from the Role dropdown. Scroll to the bottom + click Update User. Alternatively, you could change their password. But they would always be able to reset it with access to the email address tied to the account.
Dropping their access to the base level prevents this potential spam WordPress user from doing any (more) damage to your site. Subscribers only have access to their own profile in the dashboard. So this individual will no longer be able to edit content, themes, plugins, etc.
Why don’t I recommend deleting them right away?
Vulnerability moment… I’ve make quick reactions when I thought a site was in harm’s way + deleted users. When I found out that user was valid and necessary, I had to create a brand new account. Only that new account wasn’t connected to any of their previous content. That’s an issue when users like filtering pages or posts by their ownership. It’s much easier + faster to change someone’s role than to recreate an account.
Now that you’ve halted any possible issues, it’s time to figure out who this user is. I recommend hopping over to your inbox + searching for anyone with that email address or username in your past emails. Even better is to search the .com if the email address isn’t something like gmail.com. If my email popped up in your dashboard, search for @tinyblueorange.com only.
Keep in mind that almost every hosting company will create an admin user on your site to help with support when needed. So users like @flywheel.com or @siteground.com could be completely valid.
You could also reach out to the member of your team that tackles all things WordPress. While it’s best to communicate in advance, they may have added a contractor to your site to solve a problem as a team.
Final steps
There are 2 possible outcomes. Either you confirm this account is ok + set their role back to what it was. Or you can’t find a reason for it to exist + follow the steps to remove WordPress users from your site.