What is the inactive users policy for WordPress and how does it work?
What is the inactive WordPress users policy?
When enabled, WordPress users’ who didn’t change their password within 30 days since it expired are marked as inactive and are disabled. Inactive users cannot log in until the site administrator resets their account and they reset the password.
Why do you need this policy on your website?
This policy is a valuable security feature because very often, neglected user accounts become an easy point of entry on websites for malicious hackers. Hence it is safer to lock them. When a inactive WordPress user account tries to login to the website they get a notification advising them to contact the website’s administrators.
How can you enable the inactive users policy on your WordPress website?
To enable the inactive users policy, first enable the password expiry policy. Then tick the setting Disable inactive user accounts, as highlighted in the below screenshot.
The inactive users feature is dependent on the password expiry policy because it uses the date of when a password expires to determine if a user is inactive or not.
How does the inactive users policy work?
When users do show any activity (by logging in or out of the site) for a pre-determined length of time, they are marked as Inactive users. The length of time allowed is 30 days by default, however you can of course tailor this to suit your needs. Inactive users are not allowed to login to the website before the site administrator resets their user account. Should they try to login, they get a notification that their account is locked, as per the below screenshot.
You can see the list of inactive users and reset them from the Locked Users tab in the Password Policies menu entry.
How to unlock inactive WordPress users (so they can login to the website)
You can unlock inactive WordPress users by clicking the Unlock button next to the user in the list of inactive users.
When a WordPress user account is reset, an email with instructions of how to reset the password is sent to the user. The user has another 30 days to change the password. Failing to change the password within those 30 days, the account is marked as inactive again.