How to disable WordPress user accounts
Posted on August 26, 2013
Right out of the box WordPress makes it very simple for you to run a site with any number of authors. Each author gets their own user account with a specific set of permissions. Some may only be able to write posts and submit them for review. Others may be able to write and post at will. And still another set may have the ability to write, post and also act as an editor for other authors’ posts. This is such a basic function of WordPress, you may simply take it for granted. I can tell you that I don’t give it much thought when I add a new user, set their permission level and move on with my day. But what happens when situations change?
Recently one of our clients emailed and said that one of their employees had quit and they wanted to delete their user account to make sure nothing malicious took place. But since the employee had written dozens of blog posts over the past few years, they didn’t want to lose that content.
The problem with deleting a user is that when you do you are forced to make a decision; delete all the pages and posts attributed by that user, or, assign all pages and posts from that user to a different user. I don’t know about you, but neither of those options are appealing to me.
After thanking the client for not knee-jerk reacting and simply deleting the user account, we talked about the possible solutions, both good and bad. Here are the different options we spoke about, along with a description of how each option works.
Change the user’s role to Subscriber
While this will certainly keep the user from being able to write any new posts or edit any previous posts, what it doesn’t stop them from doing is modifying their display name. If your theme displays the name of the author on each post, a user with bad intentions could change their display name to something not-so-flattering and it display on every post they’ve written.
Suggestion: Do not use this method
Change the email address/password
When you change a user’s password, they can simply use the lost password feature to have a password reset link sent to their email. If you change their email address as well, they would never receive that password link. This is definitely effective and would keep the user out. Unless they guess the password.
Suggestion: Effective, but I’d use this with some level of caution.
Change the user’s role to No Role For This Site
If you set a user’s role to ‘No Role For This Site’, the next time they log in they will see the following message:
This is extremely effective. The user can technically still log in, but they have no ability to access any pages in the admin area.
Suggestion: If you want a non-plugin solution, this works great. My only concern is that the user is technically still logged in. It does leave a window open for a use with malicious intent (albeit a very small window)
Disable Users Plugin
Once activated, the Disable Users plugin adds a checkbox to each user’s profile page where an admin can check a box to disable the user’s account. Like this:
With that checkbox set, when that user tries to log in, they are immediately logged back out and shown the following message:
Suggestion: I like that the user can’t access their profile, can’t access their posts and can’t even log in. I say, we have a winner!
Thanks man, the whole goal was to keep it simple. No need for tons of settings and options - either the account is disabled or its not. I searched the repo thinking surely something like this existed. I found a few options but they were crap. One created a new table just to keep track if users were disabled or not while the other created a whole slew of settings to manage - yuck. I wanted to be able to simply lock out a user for simple use cases exactly like what you described above :)
Yeah, I like the simple and clean solutions, too!
Thank you for the informative article! Removing WordPress users has never been so easy than following this steps. Will be sharing with my blog community :-)
We had a similar issue with one of our tourism websites and to solve the issue, I changed the authors password and changed their email so that I received their emails. As such, they can not reset their password as the email goes to an email address that will be filtered into the default email account and received by me. They also can not login. My concern was that if their account was locked, preventing login, their email address is still the same. They might receive notifications from the website and they can still change their gravatar image to something very unflattering. I much preferred the idea of changing all their data except their name. As a precautionary note, it is worth pointing out that you should have admins sign a contract so that you own a license for the articles they submit otherwise they can request it is removed as they technically own the content.
Hi, is there a way to modify this plugin to have users able to log on the site at a specific time frame and log them out automatically when the time frame expired? thank you
Thank you for the help on disabling the WordPress user accounts! Short and very informative article.
Not so technical article. In fact it is the easiest way, in my opinion. How to disable or enable user accounts is no more question for me. Thanks :)
Interesting that this article is still relevant so many years later. We used the No Role method effectively. I don't think I'd recommend adding another plugin for disabling users. Things can get so bloated in WordPress when relying on so many one off plugins for every little feature. Not to mention the security risks involved... Good article!
Thanks!
Dear Admin, How we can disable admin profile from WordPress blog post. thanks in advance
I don't suggest the "no role". It broke my site. What happens to a user's data and settings when they are switched to "no role"?
"No role" is a core feature. There is no reason that should break your site. It is possible an old plugin isn't handling "no role" properly though. The advantage and reason to use "no role" is that it doesn't affect the user's data and settings. At any time you could change them back to having a valid role on the site.
I've tried to set the role to "No role for this site" but each time I update the account, it switches back to Subscriber.
Our Original Air Jordan Shoes(http://www.originalairjordanshoes.com/?Online promises to offer original jordan shoes with factory price and original package,also enjoy jordan socks and fast shippig,all shoes are authentic and comfortable
Truecaller crack forming PC program is the best phone application that lets the names of faint visitors that are not saved in your contact list. Furthermore, it is the best stage to get an investigation each and every dull number. Possibly, this unmatched making PC program is the most ideal decision that capability attests the visitor’s names and even blocks shocking calls.https://allnewcracksoftwares.com/truecaller-premium-apk-crack-download-latest/
AVG Internet Security Crack is an Enemy of Spam quality traveler winning thing. What's more, standard by a lot of pinnacle programming score affiliations. Unrivaled shaped is the Shopping security brand name which nattily covers trucks from a web program. https://allnewcracksoftwares.com/avg-internet-security-22-3-3228-crack-download/