What is the dormant users policy for WordPress and how does it work?

You are here:

What is the dormant WordPress users policy?

When enabled, WordPress users’ who didn’t change their password within 30 days since it expired are marked as dormant and are disabled. Dormant users cannot log in until the site administrator resets their account and they reset the password.

Why do you need this policy on your website?

This policy is a valuable security feature because very often, neglected user accounts become an easy point of entry on websites for malicious hackers. Hence it is safer to lock them. When a dormant WordPress user account tries to login to the website they get a notification advising them to contact the website’s administrators.

List of dormant users on a WordPress website

How can you enable the dormant users policy on your WordPress website?

To enable the dormant users policy, first enable the password expiry policy. Then tick the setting Disable dormant user accounts, as highlighted in the below screenshot.

Enabling the dormant users policy

The dormant users feature is dependent on the password expiry policy because it uses the date of when a password expires to determine if a user is dormant or not.

How does the dormant users policy work?

When users do not reset their expired password within 30 days, they are marked as dormant users. Dormant users are not allowed to login to the website before the site administrator resets their user account. Should they try to login, they get a notification that their account is locked, as per the below screenshot.

Dormant user login page notfication

You can see the list of dormant users and reset them from the Locked Users tab in the Password Policies menu entry.

How to unlock dormant WordPress users (so they can login to the website)

You can unlock dormant WordPress users by clicking the Unlock button next to the user in the list of dormant users.

Unlocking dormant users on WordPress

When a WordPress user account is reset, an email with instructions of how to reset the password is sent to the user. The user has another 30 days to change the password. Failing to change the password within those 30 days, the account is marked as dormant again.