What is the inactive users policy for WordPress and how does it work?
What is the inactive WordPress users policy?
When enabled, the plugin checks for users who have been inactive for a specific number of days. The plugin checks when did every user last login or logout from the website, which are signs of activity. The number of days to consider a user as inactive is configurable.
Inactive users cannot log in until the site administrator resets their account and they reset the password. This document highlights why you need this important policy and how it works.
Why do you need this policy on your WordPress website?
This policy is a valuable security feature. Very often, neglected user accounts become an easy point of entry on websites for malicious hackers. Hence it is safer to lock them. So when an inactive WordPress user tries to login they get a notification advising them to contact the website’s administrators.
How can you enable the inactive users policy on your WordPress website?
To enable the inactive users policy, simply enable the Inactive Users policy setting in the profile policies. You can also change the number of days that the plugin uses to consider a user as inactive.
As an extra security precaution, we also recommend to enable the setting that requires the inactive user which has just been unlocked to reset the password before logging in. Both these settings are highlighted in the below screenshot.
How does the inactive users policy work?
When users are not active for a pre-determined length of time they are marked as inactive users. Inactivity is determined by how long has it been since the user last logged in to the website. The length of time allowed is 30 days by default, however you can configure this.
Inactive users are not allowed to login to the website before the site administrator resets their user account. Should they try to login, they get a notification that their account is locked, as per the below screenshot.
How to unlock inactive WordPress users (so they can login to the website)
You can unlock inactive WordPress users by clicking the Unlock button next to the user in the list of inactive users.
When a WordPress user account is reset, an email with instructions of how to reset the password is sent to the user. Should the user fail to login and change the password within the configured time the plugin uses to consider a user as inactive, the user account will be marked again as inactive.