Most WordPress security advice revolves around WAFs, login page obfuscation and security plugins. Meanwhile, a significant risk sits quietly in the Users tab, and most developers never think to look.
When you take over a WordPress site for a new client, a user audit should be the first thing on your list.
Do it on any takeover and you’ll start to notice a pattern…
- Admin accounts belonging to people who no longer work there.
- A dev@ account with a password nobody’s touched since 2019.
- A plugin author’s support account that was never removed after they fixed something a couple of years ago.
- A plain subscriber who somehow ended up with an Administrator role that nobody can explain.
- Former employees and contractors who fixed one thing and disappeared.
- Third-party authors who were given temporary access and never asked to leave.
The site moved on. The accounts didn’t.
Why this goes unnoticed
User hygiene doesn’t make it onto most security checklists because it’s not a technical vulnerability.
There’s no CVE for “ex-employee still has the keys.” No scanner flags it. No plugin monitors it by default.
It just requires someone to sit down, look at the list and ask: does this person still work here?
The answer, more often than you’d expect, is no.
Or nobody can remember, which amounts to the same thing.
Security hardening guides have trained developers to think about perimeter defences. But a dormant account with a weak password and full admin rights skips straight past all of that.
A 30-minute fix that catches more than most hardening checklists
Export the user list and go through it with the client
Sort by role. Ask the client to put a name to every admin and editor. Anyone they can’t identify gets demoted to subscriber, not deleted. You want the audit trail intact.
Force a password reset on everyone who remains
Even accounts the client can vouch for. Password hygiene degrades over time and a clean reset at handover sets a clear baseline from day one.
Kill all active sessions
WordPress lets you invalidate all existing sessions from the user profile screen. Do it. Anyone who was logged in and shouldn’t be is now out.
Set up login logging
A basic activity logging plugin takes five minutes to configure and gives you a clear record of who’s accessing the site going forward. It makes every future audit much quicker.
No specialist tools, no complex configuration. Just a clear-eyed look at who actually has access to the site you’ve been trusted to look after.
The underlying problem
WordPress makes it genuinely easy to grant access and easy to forget you’ve done it. There’s no expiry on user accounts, no nudge to review permissions, no warning when a role hasn’t been used in 18 months.
The responsibility falls entirely on whoever manages the site. In a handover situation, that means it often falls through the gap completely.
It’s also one of the easier conversations to have with a client. Former staff with full admin rights is a risk that lands immediately, even for people with no technical background. And fixing it costs less than an hour.
Sort the users. Ask the questions. Change the passwords. It’s not glamorous, but it’s where the real exposure tends to live.
