How To Block Or Disable WordPress User Accounts
One nice feature of content management systems and WordPress in particular is the ability to maintain multiple user and admin accounts on a website. Sometimes, you may find it necessary to deny a certain user access to their account for different reasons.
This article discusses the options available to you and explains the pros and cons of each of them.
Assuming one of the contributors on your WordPress website quits or is fired, it may not be a good idea maintaining their usual privileges on your site, especially if their departure wasn’t on a good note.
What Are Your Options?
First, we’ll be taking a look at the different non-plugin solutions you have to lock the person out of your site. Then the final option will provide a detailed discussion of how to block or disable WordPress user accounts using a plugin. So, if you just want to see the plugin option, you can skip straight to the last option below.
Option #1: Delete The Account
The first thing that may come to your mind is to delete the user’s account. But wait! What happens to all the pages and posts that the user created? When you try to delete a user in WordPress, you are forced to choose what you want to do with the content in that user’s name. You could either delete the content (which I’m sure you don’t want to do), or reassign the content to another user of your choice.
To be honest, I don’t think the above out-of-the-box WordPress choices are particularly great. Here are what I consider pros and cons of this approach:
When you delete a user, they are completely locked out. They cannot gain access to admin areas of your site anymore. When they try to login, they will get an error message.
Deleting the user’s content is a big no no. But even reassigning the content to another author (or an admin user) has its issues as well.
- You may not want to go through all the stress.
- It may be time consuming, depending on how much content the user has created.
- In addition, and this is IMPORTANT, it messes up your data. For historical, logging, and/or audit purposes, it may be advisable to preserve the information about original authors of your website content. Depending on the size of your business, this may even be required by law (this is often the case with SharePoint users in large bureaucratic enterprises). If your organization is legally required to keep audit logs, then, reassigning the user’s content to someone else should not even be considered.
Option #2: Make The User An Ordinary Subscriber
WordPress comes with a very basic role called “Subscriber”. When you change a user to this role, you effectively strip them of almost all rights on your website. They won’t be able to create or edit posts anymore.
However, they can still log in. And they can still change their display name if they want to. So, a disgruntled user could change their display name to something not very nice and this will appear on all the posts they have written. Of course, this still depends on whether your theme displays author names on each post. But since most themes do, just reducing a user to a subscriber may not be such a great idea.
Option #3: Change The User’s Email Address And Password
This option works pretty fine. They have no idea what the new password and email address are. So, they’re completely locked out. They won’t get a notification telling them of the changes. They’re kept in the dark.
Though this looks like a great solution, you may want to exercise some caution using this method. Be sure you don’t forget to change both the email address and the password. If you only change the password, the user could just enter their email next time and use the “forgot password” feature of WordPress to reset their password and get back in.
It solves the problem.
No major cons. However, it is a bit inflexible. What if you only want to temporarily disable the user and not permanently lock them out? You would need change the email address (and maybe the password) again and then notify the user. When you’re dealing with lots of users, that process could quickly become a lot of work.
The plugin method discussed below offers one-click flexibility of disabling and re-enabling users.
Option #4: Change The User’s Role To “No Role For This Site”
WordPress also has a role named “No Role For This Site”.
Setting the user’s account to that role locks the person out of all administrative pages, and when they try to access admin pages, they will be shown a message saying: Sorry, you are not allowed to access this page.
The user is locked out and can’t do anything requiring admin access levels. The “No Role For This Site” role was specifically designed for scenarios like when a user needs to be removed from a site while still maintaining their author bylines and content information. This is a solid option to consider and is arguably the best non-plugin option there is.
Among all the options discussed here (both plugin and non-plugin), this is my personal favorite.
Technically speaking, the user can still login. So, if there’s any WordPress vulnerability that can be exploited when a user is logged in and if the user possesses the requisite technical expertise to execute such an attack, your site may be compromised. But I think, the probability of such an occurrence is relatively far-fetched.
Option #5: Use The “User Blocker” Plugin
So far, we’ve discussed built-in (non-plugin) WordPress solutions to disabling a user’s account. Now, let’s discuss the options offered by the User Blocker plugin.
To begin, you can install and activate it from your WordPress dashboard, or do it manually by downloading it from the WordPress plugins repository and uploading to your website.
After activating the plugin, you’ll be asked to opt in for anonymous data collection to improve the plugin. I hate those. But that is your choice.
The plugin will add a new “User Blocker” menu item to your WordPress admin. This will take you to the plugin’s settings page which is divided into three tabs. We’ll discuss the options on these tabs next.
Block User By Time
This feature allows you to block a user or users for a specified time period on any day. In the screenshot below, you’ll see a list of all registered users (except the admin account).
So, you simply select the user(s) you intend to block, then set when you want them to be blocked, press the “Block User” button and they’ll be blocked for that period on the selected day(s).
You can use the default drop downs that pop up in the time boxes in the “Block Time” section to choose the time intervals in 15 minutes increments. Or you can manually type in the exact hours and minutes to be used in the time range user block.
Block User By Date
With this option, you can block a user for an extended period of time. Simply select a user you want to block, then click the “From” field and a calendar will pop up (like the one shown in the screenshot below).
Select the day and time from which you want the blocking to take effect. Then, click the “To” field and use the calendar that pops up to select the day and time the blocking ends.
Block User Permanently
This feature allows an admin to block a user permanently. Looking at the screenshot below, you’ll notice two users, one blocked, as signified by the red status and the other still having access.
When the blocked user tries logging in, they will get the default message set by the plugin if the admin did not set a custom message using the “Block Message” textarea. The message is displayed at the top of the WordPress login form as shown in the screenshot below.
Important Note: To keep the users blocked, you must keep the plugin activated. If you deactivate the plugin, all blocked users will be automatically unblocked, and they will immediately have access again.
To unblock a user, navigate to User Blocker >> Blocked User List on the admin sidebar of your WordPress dashboard.
You will be taken to another page with four tabs namely, “Blocked User List By Time”, “Blocked User List By Date”, “Blocked User List Permanently” and “Blocked User List”.
The first three tabs contain lists of users in a specific category as indicated by the name of the tab under which they fall. The last tab contains a list of all blocked users and differentiated by icons and messages.
Hovering over any of the rows reveals a “Reset” link that when clicked, unblocks the user’s account.
That’s pretty much everything about how to use the User Blocker plugin. It is worth mentioning that this plugin allows you to block multiple users at once based on their roles. So you can block all editors, all contributors, or all authors at the same time. Just use the “Select Role” drop down.
I discuss the pros and cons of working with this plugin in the final section below.
All the solutions discussed here have their advantages and disadvantages. Some are quite secure, but offer limited flexibility. At first, the plugin solution may seem to offer a lot more flexibility than any of the non-plugin options. It keeps unwanted users out for as long as you wish, and with a few clicks, you can bring them back on board.
However, if you mistakenly deactivate the plugin, all blocked users are back on board. So, I would still advice that you use the plugin with caution and only when the out-of-the-box WordPress options just won’t cut it for your work.
In addition, the User Blocker plugin does not remove blocked users from admin drop downs. So if you’re assigning posts to different contributors, blocked users will continue to appear in the users list. This could easily become confusing since you would have to remember which users are blocked and which ones aren’t. The “No Role For This Site” option does not have this problem. When a user is given the “No Role For This Site” role, they no longer appear in user drop downs. This is another reason why I prefer the “No Role For This Site” option.
Besides the above, I also have a few personal issues with the general plugin coding: UI/UX stuff for the most part. Nothing major. But I must confess that the little issues I noticed certainly influenced my overall opinion. For what it does however, I don’t think there is a better plugin at this time.
Overall, my two personal favorite options for disabling WordPress users are:
- The “No Role For This Site” option
- Changing the user’s email address and password
In that order of preference.
Which solution would you use to block or disable WordPress user accounts on your website? Please share via the comments section below.