Inactive Users

Users with login access can play an important role in maintaining the security of a WordPress site by following security best practices. Following security best practices is increasingly important for users that have roles with greater capabilities.

As user accounts are created for a site, the site Administrator should follow the principle of least privilege by assigning a user’s level of access to only what is necessary for their role. The level of access needed for each user can change over time, and an Administrator needs to stay informed of users that might need a lower level of access or could be removed from the site entirely.

The Inactive Users module in the WordPress Security Controls panel can assist with this process by monitoring user accounts that have not performed actions that require authentication to a site over a set period of time. These actions can include accessing the WordPress Admin dashboard with login credentials or accessing the front end of the site as a logged-in user.

Limitations

• Settings are per-environment. For WordPress multisite environments, different settings cannot be applied per-network site.
• If the remove_all_filters() function exists in application code, WordPress Security Controls will not work as expected. 

Access

To access settings for Inactive Users in the WordPress Security Controls panel in the VIP Dashboard:

1. Navigate to the VIP Dashboard for an application.
2. Select an environment from the dropdown located at the upper left of the dashboard.
3. Select “Security Controls” from the sidebar navigation at the left of the screen.
4. Select “WordPress” from the navigation submenu.
5. Select the accordion module titled “Inactive Users“.

Configure

In the Inactive Users module of WordPress Security Controls, configure a set number of days that are acceptable for users to remain inactive before their accounts are flagged or blocked from logging in.

1. Select one of the inactivity thresholds listed below the label “Inactive User Settings“:
   • Elevated Security: Block users with a role that can create and edit content (i.e. Administrator, Editor, Author) after 45 days of inactivity.
   • Default: Flag users with an Administrator role after 90 days of inactivity.
   • Customize: Configure a custom duration of time in days that users with a specified set of capabilities can remain inactive before their accounts are flagged or blocked.
2. If “Customize” is selected, settings must be configured for “Inactivity Threshold“, “User Capabilities“, and “Action on Inactive Users“.
   • To configure “Inactivity Threshold“, select the slider component and move the handle to the left to lower the integer value, or move the handle to the right to increase the integer value. An an integer value between 14 and 180 can also be entered in the slider input text field.
   • In the list of options labeled “User Capabilities“, select a group of users to apply the Inactive Users configurations based on the capabilities of their role.
   • Select an action from the dropdown menu labeled “Action on Inactive Users“.
     • Flag Inactive User Accounts: Users that exceed the number of days set in the inactivity threshold will be labeled “Inactive User” in the Users screen of the WordPress Admin dashboard. Flagged user accounts are not blocked from logging in to the WordPress site.
     • Block Inactive User Accounts: Users that exceed the number of days set in the inactivity threshold will be labeled “Blocked: Inactive” in the Users screen of the WordPress Admin dashboard. Blocked users are unable to log in to the WordPress site.
3. If configuring the Inactive Users module for a production environment, optionally toggle the box labeled “Apply these settings to all environments in this application” to apply the selected configurations to all of the application’s environments.
4. Select the button labeled “Save Changes” to apply the updated setting to the environment.

Unblock a user

A WordPress user who has exceeded the inactivity threshold that is configured in the “Inactive Users” module will be blocked from logging in to a WordPress site if the module is configured to “Block Inactive User Accounts”.

A user on that site who has a role with an edit_users capability (e.g. Administrator or Super Admin) can unblock the affected user and restore their ability to log in.

1. Navigate to the Users screen of the site’s WordPress Admin dashboard.
2. Search for the user by username or email.
3. Hover over the row that displays the affected user’s account information.
4. In the column labeled “Last seen” select the linked text “Unblock“.

All Administrators blocked due to inactivity

It is possible for all Administrators on a WordPress site to be blocked from logging in due to exceeding the number of days configured for the inactivity threshold in the Inactive Users module. To temporarily restore the ability for an Administrator to log in:

1. Navigate to the VIP Dashboard for an application.
2. Select an environment from the dropdown located at the upper left of the dashboard.
3. Select “Security Controls” from the sidebar navigation at the left of the screen.
4. Select “WordPress” from the navigation submenu.
5. Select the accordion module titled “Inactive Users“.
6. In the section labeled “Inactive User Settings“, select the option labeled “Customize“.
7. Select the action labeled “Flag Inactive User Accounts” from the dropdown menu labeled “Action on Inactive Users“.
8. Select the button labeled “Save Changes” to apply the updated setting to the environment.

After at least one Administrator has successfully logged in to the WordPress site, it is recommended to reset the configuration in the Inactive Users back to “Block Inactive User Accounts“.