[Update: Shield Security 7.4 with these features is now out!]
Have you ever faced the dilemma of deleting inactive WordPress users from your sites, and the wonder what you might be breaking in doing so?
Certain cases call for accounts to be entirely deleted, and some times this simply isn’t appropriate.
What if you could just “suspend” unused accounts with the option to reactivate them later?
The problem: unused WordPress accounts represent a risk
Shield Security has had tools in area of user account management for a long time. These have focused around controlling user sessions, setting timeouts, and restricting account sharing.
This is great for protecting sessions, but what about the user accounts themselves?
Nearly all professional WordPress sites will have users that turn-up and then later disappear, perhaps never to return.
These accounts provide a gateway to a deeper level of access to our sites than simple site visitors, and so represent a risk when they’re abandoned.
Ideally they’d be deleted, but sometimes this isn’t practical.
The Case of Retired Authors
Imagine a multi-author blog where you want to keep the individual authors, their work, and their attribution, but the author may no longer be active on the site.
Sure, you can set a super long password and a random email address, but you haven’t actually prevented account access.
What if you could keep the account on your site, but block future logins to that account entirely?
The Case of Authenticated WordPress Vulnerabilities
There are many WordPress vulnerabilities that can only be exploited by authenticated users. Unused and forgotten user accounts across your entire portfolio of WordPress sites are doors to your site that are never quite shut.
What if after a certain length of time, unused accounts become suspended and require a password reset to reactivate? This would help reduce the risk of hijacking unused user accounts.
The Case of Pwned Passwords
Similar to the scenario above, an idle account that used a compromised password several years ago is an omnipresent risk to your site.
As above, what if these users could be automatically suspended without your manual intervention, and may only be reactivated with a manual password reset?
The Case of Temporary Admins
Oftentimes when we’re delivering support to clients, we’ll ask for temporary admin access to the site. Providing temporary admin access is a common scenario for all of us, and there’s a bit of work setting up these accounts, each time.
What if you could set it up once, then put the account on ice until you need to open up access again?
What options do you have for disabling WordPress user accounts?
Until now, there’s been no way to have a WordPress user account on your site, but have it disabled. It’s either all on, or all off. There’s no in-between.
Your only real option is to delete accounts that are unused.
But as we’ve discussed, this isn’t always the most practical choice. And for sites with huge numbers of users, and where you might have a large portfolio, this is yet another job that you’re unlikely to find the time for.
What you need is a solution that is flexible to let you pick accounts to suspend, and one that will automatically work in the background to disable accounts that have gone unused for too long.
Solution: Shield Security User Suspension Feature
Shield Security Pro released a feature that allows administrators to manually and automatically suspend any user account. This feature is available from within the main Config menu > Users > User Suspension.
Manual WordPress User Suspension
Any account that is “suspended” by the admin will never be able to log into the site (until they’re unsuspended).
When a suspended user tries to login, they’ll be told the account is suspended and they’ll be directed to contact the site administrator.
This user experience is preferable to the alternative where the user has no clue and must go through the whole process of logging in, failing, resetting passwords, only to later discover their account information has been permanently removed.
Automatic WordPress User Suspension
While providing the ability to manually suspend users is a great step forward, it’s not a complete solution.
True power comes from having the ability to automatically suspend user accounts based on certain criteria.
More specifically, the criteria we’re providing with Shield are:
- expired passwords
- idle account (i.e. no login or password reset for an extended period)
- custom user role – i.e. you select which user roles are subject to auto-suspension
If a user hasn’t logged-in (or reset their password) for, say, 1 year, you might consider that account inactive. Instead of leaving that account open on your site, Shield will automatically suspend it and prompt the user to reset their password (and thereby reactivate their account).
When is the suspension feature available?
Shield Security Pro 7.4 was released in mid-June, 2019. If you have any questions about this feature at any time, please let us know in the comments below.
Hello dear reader!
If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)
You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.
We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.
ShieldPRO Testimonials
@lorddunvegan
Easy and comprehensive
A great product which gives me confidence that my site is being protected.
@aasiiif
Awesome
Love This plugin. Thanks
@kapkan
Thank you
Thank you for this great security application. I am using a cheap shared hosting (128 MB ram limit). I’ve tested all popular security plugins for wordpress. This is easy to use and fast. But, It could be better if there was a DOS/Flood protection…
@rayrenati
Love it.
I just love this plug-in. Why? It just works, it’s lightweight, and I NEVER have to think about it or wonder if it’s doing it’s job.
