If you operate WordPress in a corporate environment, chances are you have more than one employee adding or managing content in it.
If you’ve followed best practices, each of those employees has her own login with the least privileges necessary to do the tasks she needs to perform. If you’re like most businesses, those users eventually leave your employment.
So how do you deal with a departed user’s WordPress account?
Safest bet: Delete the user account
The safest and easiest way to deal with a user account you want to invalidate is to delete the account outright.
However, by default this will also delete the user’s posts. Usually, you’ll want to retain that information; even if you don’t think you want to keep it, it’s smart to hold onto that content as drafts, in case you do need it back.
Fortunately, WordPress allows you to assign a deleted user’s posts to another user, before the account is destroyed. So your options are to either assign those posts to another, existing user; or better yet, create a “fake” user to replace the user account you are deleting.
To create a new user:
- In the WordPress Dashboard, select Users > Add New.
- Fill out the required fields. A unique email address (an email address not used on any other user account) is required.
- Make the role of that new user an Author. This role allows for the new user to have control over the post’s publication status, which may be important if you want to resurrect these posts later.
You can also batch edit all the posts for the soon-to-be-deleted user, setting their status to draft, if you want to remove the posts from public view but aren’t sure you want them deleted outright. Otherwise, if you leave the posts published and assign them to a new author, it will look to visitors like the new user created those posts.
To batch edit the status of all posts by a soon-to-be-deleted user to be drafts:
- In the Dashboard, click Users > All users.
- To the far right of the list is a Posts column, showing the number of posts assigned to that user. Click that number for the user whose posts you want to batch edit.
- You’re taken to a page listing all of the user’s posts.
- Under the Bulk Actions pull-down menu, choose Edit.
- Click the checkbox at the top of the list, to select all posts.
- Click the “Apply” button.
- From the Status pull-down menu, select Draft.
- Click the Update button.
Delete the user
Now that you’ve prepared the user’s posts to survive the user account deletion, you can proceed to delete the user account.
- Select Users > All users
- Hover over the username you want to delete and click the Delete link that comes up.
- You’re taken to a Delete user page, with two options: Delete user posts or assign posts to a new user.
- Select “Attribute all content to: and choose the new user name you created as the new author for these posts.
- Click the Confirm Deletion button.
The steps I’ve noted here are to preserve content if you’re not absolutely certain about what should be done with the deleted user’s posts. This protects all that old content, in case you need to someday get it back. It’s much easier to recover a deleted user’s content by assigning it to a “fake” user, and setting the posts’ status to draft, than it is to recover deleted posts from a database or VaultPress backup.
Retaining the user account
In some cases, you really want to retain the user account even after someone has left your organization.
This is especially true of admin accounts, since they’ve probably made a number of changes to your site that can be difficult to track and recover if the account is deleted. That’s doubly true if you are running certain plugins that require “looking up” specific users.
It’s also true for any user who has created a substantial amount of content; reassigning all that stuff can prove problematic. Or if you organize or promote your content around an author, rather than a topic.
In those cases, your best bet is to change the email address on the account and generate a new, random password for the user.
That retains the author’s name and profile, but prevents the author from logging in again or requesting a new password. The author won’t know the new random password you create, and provided you change the email address to one the author can’t access, he or she also can’t request a password reset.
Assigning a new email and password
To make these changes:
- Select Users > All users
- Hover over the username you want to “reset” and click the Edit link that comes up under that name
- You’re taken to an edit page.
- Under email, enter an email address that at least follows the correct pattern (e.g., firstname.lastname@example.org). It doesn’t need to actually exist, however; this can be a fake email address.
- Under Account Management > New Password, click the Generate Password button. Leave the setting to be what was generated.
- Click the Update User button.
That user account now has a strong password that the person doesn’t know, and no means by which to reset the password, effectively locking her out of the site.
All her content is retained, with the same username and author details originally assigned to the post … except for the email address.
If you need the email address to remain valid, just make sure it’s not an address the deleted user can access; otherwise, she can simply request a password reset link and get right back into WordPress.
Finally, if you use an OAuth provider plugin in your WordPress install — that is, a plugin that lets people log in with their Twitter / Facebook / Google / etc. accounts — you’ll want to follow your plugin’s advice for clearing out stored login sessions.