This past week I learned a valuable lesson about security when I had to delete a WordPress user. Here’s what happened.

Through my security monitoring plugin, I was alerted that someone had unsuccessfully attempted to login to one of the websites I maintain. Not a big deal, really. If you have a WordPress website, you should know that hackers spend their programming energy trying to discover Administrator usernames and passwords. There are many reasons why someone might get hack your website.

But this one was different. Someone had discovered my somewhat obscure username and tried to guess the password (a brute force attempt). Rather than let them continue to guess, I decided it was time to change the username and try to slow down the login attempts.

To delete a WordPress user, the process is actually quite simple. I’ve done it many times.

  1. From the Dashboard, select Users, then click the Delete link that appears when you hover over the User name (if you’re using a tablet or smartphone, the “Edit | Delete” options are always available – no need to hover!).
  2. When you click or tap Delete, you will be given the option to delete all content that specific User has ever posted on the website, or assign all that content to another User.

Here’s where you want to be careful.

If the User is someone you know and (mostly) trust, you should select the “Attribute all content to:” option and assign all content to another User. In my case, the User I was deleting was me, so I should have selected my new Admin User and attributed all the content of the old Admin User to the new one.

Instead, I clicked the option to delete all content. Yep, all the content I had added to the site: posts, images, the works.

If you’ve been through this before, you’re probably shaking your head right now. But in my defence, let me explain what happened.

When I received the email alert that someone had attempted to login with my username, I was right in the middle of an intense project. I had also been experiencing a series of brute force login attempts on three other sites and I was closely monitoring those. On top of that, there was news in the WordPress community of a new large-scale brute force attack.

So maybe I panicked. Maybe I was unfocused. Basically, I was too hasty and right after I clicked the “Delete all content” option, I tried to cancel that request, but it was too late. And there’s no “Undo” button.

Fortunately, no major harm done since I had a recent backup. But like I said, I was in the middle of another project deadline and even an extra 30 minutes set me back.

Bottom line: If you need to delete a WordPress User and you know who it is, attribute the content to another User you trust. If you want to delete a WordPress User you suspect has added content you do not want, feel free to delete all content.

About Steady Digital

We provide a WordPress maintenance plan to ease concerns like:

  • Is my website performing at peak performance so visitors get the best experience possible?
  • Do I have regular backups of my website in case something happens to my web server?
  • What if my website gets hacked?
  • How can I get up-to-date, professional training so I can use my website better?
  • Who can I trust to do the updates that are beyond my technical or creative abilities?

Tired of trying to maintain your own website? A WordPress maintenance plan might be the solution for you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.