Old or unused admin accounts remain active and become targets for attackers.
Inactive Admin Accounts Left Enabled
Key Points: Forgotten admin accounts are open doors — especially when passwords aren’t updated.
A former developer, a marketing intern, your cousin from 2020… Their admin accounts still exist? That’s a liability. Hackers love old logins because no one’s watching them.
🧨 Common Risks
- Accounts with weak or outdated credentials
- No 2FA on old admins
- Zombie users whose actions are hard to trace
🛠️ What to Do
- Regularly audit user accounts in the dashboard
- Remove any admin that hasn’t logged in within 30–60 days (if not needed)
- Set user expirations or disable logins with plugins like “Inactive Logout”
🔍 Tip
Every extra admin is an extra attack surface. Clean house often.