As a WordPress consultant with over 5 years of experience securing sites, I often get asked about the best ways to restrict user access without fully removing their account. There are a few methods available depending on your specific needs. In this 2023 guide, we’ll explore when blocking users is preferable and walk through how to leverage user roles, plugins, and other tools to disable accounts while retaining profile information and authored content.
Why Disable Users Instead of Deleting Accounts?
Before we dig into the how-to, it‘s important to understand what‘s at stake when deleting accounts and why blocking can be a better interim solution:
- Orphaned content – Any posts written by a deleted user will either be assigned to an admin/other user or just show no author information at all. This breaks attribution and author information.
- Broken links – A deleted user profile means any links or references to that user‘s author page will result in 404 errors or go nowhere.
- Security issues – Brute force attacks often try compromising inactive user accounts first. Keeping disabled accounts reduces this threat vector.
- Data preservation – User profiles often contain website activity logs, comments, forum posts that would be lost completely when deleted.
According to 2022 WordPress security statistics from Wordfence, over 43% of logged threats target user accounts specifically. And inactive users under brute force attacks account for nearly 12% of all security incidents.
Deleting unnecessary accounts is still good practice, but blocking gives you added flexibility when you need to restrict access temporarily or preserve content ownership.
WordPress Access Levels and Roles
Before blocking users, it helps to understand WordPress‘ user role and access scheme including:
- Admin – Full access to all settings and content
- Editor – Edit/publish posts and some admin areas
- Author – Write and manage their own posts
- Contributor – Can write/edit their own posts but not publish
- Subscriber – Very limited access to account settings only
There are also custom roles that plugin developers can leverage for fine-grained control.
By downgrading an account to Subscriber or custom role, you can instantly revoke their admin access while keeping the user profile intact. Now let‘s explore the various methods to block users.
Method 1: Change User Role to Restrict Access
The easiest approach is to change the user‘s role to remove their privileges while keeping the account active.
To do this:
- Log in to your WordPress admin dashboard
- Go to Users > All Users
- Click Edit for the user account you want to block
- Under Role, select either:
- Subscriber – Limited access to frontend of site
- No Role for this Site – Blocks all dashboard access
- Click Update User to save changes
Figure 1 – Changing a user‘s role strips their access but keeps account active
The Subscriber role will let them login but removes their admin privileges. No Role will block their dashboard access entirely, showing an "insufficient permissions" error when trying to access WP-Admin.
This allows you to instantly downgrade troublesome users with a few clicks. Later on, you can update them to reinstate access if needed.
Benefits
- Simple to toggle access restrictions
- Retains all account details
- Preserves authorship attribution
Drawbacks
- Users can still login with Subscriber role
- Have to update users individually
While this works great in a pinch, the limitations mean it‘s not necessarily the most sustainable or scalable approach long-term for sites with many users.
Method 2: Use a Dedicated User Blocking Plugin (Recommended)
For more advanced user blocking capabilities, a dedicated plugin will provide the most options. There are a few good choices here, but I recommend the User Blocker plugin specifically.
User Blocker gives fine-grained control to block users in a variety of ways:
Figure 2 – User Blocker plugin admin dashboard
With User Blocker, you can:
- Block user logins permanently or temporarily
- Set up time-based access rules, e.g. only allow during business hours
- Block by specific username or entire user role
- Customize error message displayed to blocked users
- View current user restrictions from one dashboard
It essentially gives you a powerful toolkit for all user blocking scenarios. And you can toggle settings on and off easily as needed.
Step-by-Step Guide to Block Users with User Blocker
To get started, install and activate the User Blocker plugin on your site. After activating:
- Go to Settings > User Blocker in your WP dashboard
- Select the Block Users tab
- Check the boxes next to each user you want to block or search/select by role
- Enter a Block Message for custom error displayed (optional)
- Click Block User to apply restrictions
You‘ll then see blocked users with an "Activated" label to indicate current restrictions:
Figure 3 – User Blocker showing currently blocked users
To customize time-based access rules, use the By Time tab. Or leverage the By Date option to set specific date ranges of when to allow/block logins.
Benefits
- Block globally or temporary restrictions
- Works for multiple users at once
- Customizable error messages
- Easy to toggle on/off as needed
Drawbacks
- Need to install separate plugin
- Can take some time to configure
For most use cases, I‘d recommend the User Blocker plugin as it provides the greatest flexibility for blocking users while retaining accounts.
Method 3: Limit Login Attempts with Security Plugins
An alternative approach is to use a security plugin focused on limiting login attempts. Example options include:
- Limit Login Attempts Reloaded
- WPS Hide Login
- iThemes Security
The premise here is that these plugins will block users from continually trying admin or login areas after a defined number of failures. The failed logins could indicate a brute force attack or user just repeatedly trying old passwords.
By default, most of these plugins will outright block the source IP address if too many invalid logins are detected in a short time period. However, some do provide options specifically around user-level restrictions too.
For example, iThemes Security allows you to:
- Set maximum invalid login attempts per user
- Choose to disable logins for that user after failures
- Configure custom error messages
So while mainly geared toward intrusion protection, some login limiting plugins can achieve user-specific blocking similar to methods above.
Summary: WordPress User Blocking Options
When you need to restrict user access without deleting their account completely, you have a few good options:
| Method | Pros | Cons |
|---|---|---|
| Change User Role | Simple to adjust Retains account details | Limited blocking restrictions Time consuming for many users |
| User Blocker Plugin | Custom blocking options Temporary or permanent Bulk actions | Extra plugin to install Potential learning curve |
| Login Limiting Plugins | Leverage existing security plugin Blocks brute force attacks | Mainly restricts by IP Limited user-specific options |
Generally, I‘d recommend using a dedicated plugin like User Blocker for the greatest flexibility in keeping accounts active but restricting access as needed both temporarily and long-term.
Hopefully this guide gave you some ideas on how to block WordPress user accounts without resorting to complete deletion. As threats targeting abandoned user profiles continue to rise, having active blocking alternatives helps reduce exposure while preserving data integrity.
Let me know if you have any other questions! I‘m happy to help advise on secure WordPress user management.
