Once upon a time, they were active on your site, adding comments or buying products. Now, they’re nowhere to be found, clogging up your stats and creating a security risk. What’s the solution to this problem of inactive WordPress users? Is there some sort of logout plugin that gives them an auto logout? Can you send them a warning message with a countdown to kicking them out?
In this blog post for beginners, we define inactive WordPress users, explain the website application security risks and business implications, and suggest proactive measures you can take to eliminate some risks, reduce others and mitigate the potential harm to your organization.
Table of contents
- What is an Inactive WordPress User?
- Website Application Risks and Business Implications
- Other Considerations
- Proactive Measures to Eliminate or Reduce Risks Posed by Inactive WordPress User Accounts
- Concluding remarks
What is an Inactive WordPress User?
First, let’s define an inactive user. It’s not just as simple as a user who doesn’t do much on your website. Let’s be more precise.
There are different ways to outline a general pattern of user inactivity on a website. An inactive user might be:
- A user who was active but now hasn’t logged into your website for a period of time
- A user who never logged into your site with any frequency, or used it with consistency
- A user who joined but never made a contribution (e.g., never added or edited pages, product descriptions or blog posts)
- A user who joined but never bought a product/service (if your site is an e-commerce one)
However, the best definition of an inactive user is very specific. An inactive user is someone who hasn’t logged in or out of your site for a number of days (e.g 90 days). Making the definition focus on login activity across a specific period marks a clear and simple boundary for inactivity. The number of days is specified by you, and should be configurable in any login application you use to deal with the dormant user issue.
Website Application Risks and Business Implications
So, what are the risks? Are they really that substantial? And, if they are, what are the unintended and serious commercial consequences?
This section sets out the risks and business implications to help you grab the attention of your organization’s directors and senior management team. The main risk is your website and data security, so that will receive the most attention. There are two lesser risks that also have business and organizational implications that you must address.
Primary Risk: Website Security
The dark web is a murky place where multiple types of user data are traded and exchanged. Some password managers offer a convenient feature that notifies users if their email address or password has been discovered on the dark web. They will also keep users informed if they themselves have carelessly used the same login credentials (username and password) across multiple online web applications and services, and prompt them to change the password.
But, if your website still has an inactive user account in one of these scenarios, it presents an imminent risk to your web application’s and WordPress website security, because the password will not have been changed in months.
Primary business implication: Malicious hackers can misuse and sell data
The life of a malicious hacker – who may have the intention to access, steal, amend, or trade your website application’s data – is made so much easier if they procure even a single user’s set of login credentials for any website application or service. Why? They can use those credentials to conduct an artless, but sometimes effective, brute force or dictionary attack using the same credentials to gain access to other accounts belonging to the same user, within the same organization or outside of it. Privilege escalation could similarly prove a problem.
For individual users, this can leave their banking and other personal information exposed to theft or resale. For you as a WordPress website administrator, it can mean a hacker can gain access to multiple website applications, databases, networks and other services across your organization’s network. This could include accessing systems of partners and other third parties too – leaving you open to loss of reputation, punitive fines, or other mammoth penalties.
Secondary Risk 1: User Apathy
Users are inactive for many reasons. But one factor ties them together. They once showed an active interest in your WordPress site, but now they don’t. If you have accumulated large numbers of these inactive users, over a prolonged period of time, you should consider investigating why they are inactive and what you can do about it. Some reasons for their inactivity will be obvious (they left your employment or stopped a partnership with you, or they haven’t bought anything from you for a while) while others require you to dig deeper.
Business implication: Keep customers engaged and re-engaged
Don’t view inactive users as a problem or a nuisance but as a business opportunity. They are potential customers and clients with whom you have already made contact. At some point, they showed an interest in what you have to offer. That’s a head start!
First, find out who your inactive users are. Then, target them in a re-engagement campaign. You could, for example, send them target emails with information about promotions, discounts, or new features. Or you could engage them on social media.
Of course, it’s important to acknowledge that there are others who aren’t customers that might need reengagement too. You may have had writing partners and content contributors who weren’t buying your products but who did add new value and now they are inactive. Why? And what do you want to do about it?
Secondary Risk 2: Time Wastage
It takes time to manage inactive users, whatever you decide to do with them. It takes time to deal with trolls, spammers, malicious hackers, and others who run scripts to take over the user’s account for hostile, financial, or other purposes. It takes time to search for inactive accounts and figure out the best response. If you manage a portfolio of accounts or an online community, it’s time-consuming to deal with them all.
Business implication: Invest in the right resources that will save time
It’s not enough that you invest in software or plugins to help with this risk. They must have features that will save you as much time as possible while performing the functions you require. For example, find a WordPress plugin that automatically identifies inactive users, locks them out, and alerts you about them. You should also be able to configure it to send you a weekly email summarising inactivity lockout (along with other information). The WP Password login does all this and more.
Armed with this practical knowledge, you can then persuade them to:
- Allocate more resources to WordPress security, while informing them of the substantial cost of a WordPress website security breach
- Write and enforce website application hardening policies and other measures
- Educate your internal users and external partners on WordPress security strategies, such as the Principle of Least Privilege, and direct them to relevant WordPress tutorials on wordpress.org
- Put in place proactive mitigation efforts such as WordPress password protection (as part of your Password Policy) and activity log analysis
Should I simply delete the user account to remove the risk entirely?
Not necessarily. That does seem like the most obvious and clean solution. But there are alternatives that make more sense if you want to hold on to what those currently inactive users have produced.
For example, the account you delete might belong to an inactive user who in the past made a contribution you want to keep. Yes, you could assign their content to another user but this would change the author information.
Another solution is to downgrade the role of the inactive user or set up different timeout settings on the settings page based on other user roles. The problem with this is that it takes time to achieve for each separate account. More importantly, it still leaves open a way of accessing a site, even though at a lower level of permission. Such unused but downgraded accounts may still have compromised passwords.
The best solution to the inactive user account problems isn’t deleting the accounts entirely but finding a way to automatically suspend or disable WordPress user accounts, with the option of reactivation. For example, the Melapress Login Security plugin locks inactive user accounts on WordPress. This means it logs them out, hides their content, and asks them to log in again.
Will deleting inactive WordPress user accounts break anything?
Deleting inactive accounts has implications for old content. Content such as web pages and blog posts that are connected to that inactive user account may be automatically deleted once the account is removed, if you don’t take precautions. You can assign all this content to another user. But this will change the author’s information. You can change the user’s password and email address by editing their profile. But this will change their Gravatar image, if they use one.
There are further implications if you are running an e-commerce site. For example, when a user account is deleted on a WooCommerce site, it is possible to retain order information – including billing and shipping data – for accounting purposes by assigning order information to another user. But it is recommended that you make a full backup of your website before deleting any users, including inactive ones.
Is it easier to suspend or disable WordPress accounts that are inactive, then reactivate them later if necessary?
Yes. Suspending an inactive user account on WordPress could help limit the risk, by enforcing a password reset before reactivation. That way if the user – or a malicious hacker – tries to log in, the legitimate will receive an emailed prompt to reset. The legitimate user will have access to their own email, SMS, authenticator app or other multi-factor login setup; the bad actor won’t. If the password reset does not take place, then reactivation is impossible. This approach will also have the side benefit of reinforcing to your WordPress users, whether internal teams or external customers, that you take online security seriously, and condition them to adopt strong security practices.
Implementing a WordPress inactive users policy is easier than you might think. Melapress Login Security is a WordPress password security plugin that offers this functionality straight out of the box. You can easily set an inactivity timeframe after which the account is automatically disabled. You can also choose to have users reset their password following an unlock. This provides you with an additional security mechanism to limit risks associated with stale passwords.
Proactive Measures to Eliminate or Reduce Risks Posed by Inactive WordPress User Accounts
With the Website Application Security Risks and Business Implications in mind, let’s look at how you can minimize those risks – leaving your website application security teams free to focus on the less predictable risks and malicious hacks.
Identify Inactive User Accounts
First, make sure you can identify the inactive user accounts on your WordPress website. If you have a single website and less than ten user accounts, you can schedule a simple reminder in your task management software. But, if you manage a multisite network that includes a mixture of internal staff and external partners and systems, then you’ll need an automated method of keeping informed about inactive user accounts.
Using our WP Activity Log plugin which keeps comprehensive activity logs, you can protect your websites and multisite networks by:
- Monitoring user changes
- Automatically logging out inactive users
- Terminating idle user sessions automatically
- The plugin will also help you keep organized by:
- Configuring automated email notifications and SMS alerts for events such as inactive users, failed logins, and password resets
- Configuring automatically emailed reports of your choice
WP Activity Log is a very comprehensive plugin that comes with a solid user session management module among other features. Featuring the most comprehensive activity log for WordPress on the market, it provides you with invaluable insight that allows you to track activities, identify behaviors, and troubleshoot issues with minimal effort.
Restrict Login Sharing Opportunities
Another sound strategy is to restrict login sharing on your WordPress website. Login sharing is when WordPress users share their login information with other users to make access and publishing easier. And because ease is their main priority, it is likely that these passwords will be weak – easy to write down, easy to pass along , easy to remember… and easy for malicious hackers to exploit.
There are many security risks created by the practice of login sharing on WordPress. These risks are multiplied if login credentials are shared by inactive users and those to whom passwords were shared. The solution to this website security mess is by forcing users to employ strong WordPress passwords in the first place to discourage credential sharing. The Melapress Login Security plugin makes this process both easy and secure
Handle Failed Login Attempts
A final security tactic is to block failed login attempts on your WordPress website. An attacker might have an inactive user’s login name but not the password that matches it. A high frequency of failed login attempts over a short period of time could be a sign that an automated attack is taking place. WordPress itself doesn’t provide any way to limit or evade multiple failed login attempts, whether on inactive or active accounts.
Thankfully, there are ways to block failed login attempts on WordPress. The Melapress Login Security plugin automatically blocks users who have too many failed login attacks and enables you to set up a policy that deals with this problem permanently. This is a means of protecting your website and your active users against password and dictionary attacks, for example. You may also want to consider using a CAPTCHA 4WP plugin to help prevent automated attacks, and designing a WordPress failed login policy.
Inactive user management is one of the many security features of the Melapress Login Security. With it, you can automatically disable inactive WordPress users and require them to reset their passwords before they log back in to the site. Check out the many other password and plugin features that enable site administrators and owners like you to secure WordPress passwords. If you don’t want to pay for the plugin straight away, you can get a 14-day free trial of Melapress Login Security to boost the security of your website and protect it from the danger posed by inactive users on WordPress.