Deleting WordPress Users, Carefully

This is a quick article, based on an incident that happened last week to a client of mine.

So you’re looking out for your website, and want to delete any old WordPress users from the site that no longer need access. This is a good thing, and you deserve a cookie. This type of thinking can save you headaches further down the road with security.

There is a small downside. Despite your best intentions, you can very easily cause a bigger headache than you anticipated. It is hard to blame WordPress for user error, but in this case, I can see why someone would assume deleting a user is ok.

So you start going through the process of deleting a user in WordPress. You notice the user has 0 Posts. This is a good sign that there is even less reason to keep this user if they’re no longer needing access.

As you delete the user, you have the option to “Delete All Content” or “Attribute All Content to [Another User]”. Remembering that the user had 0 posts, you assume it is ok to simply delete all content from that user.

 

screenshot of the deletion of a user in WordPress
Deleting a WordPress User

 

The problem with what just happenedĀ is that while the user had 0 posts, they may have created pages, uploaded media, saved revisions of other posts, and more. All of that data can be removed without attributing it to another user. On top of losing that information, it can affect how your website is displayed. If Pages are removed, navigation can break. If media uploads are removed, older articles may have broken image links on them.

The worst part is at times this may not even be noticeable soon after you delete them. If the user you’ve deleted is someone who hasn’t uploaded images in some time, it is unlikely you’d find the broken images in a reasonable time to grab a backup and reverse the damage.

In good news, we had backups saved that were done before this, and one of the site authors noticed some broken images early enough that rolling back wasn’t a big issue.

The simple moral of this story is, don’t delete users without attributing their content to another user, unless you’re sure there is nothing that they have added.