BugWP logo BugWP
Back to Community
Home / Community / CoreEverything else wordpress

Why Are There Unknown Users in My WordPress Dashboard and How to Remove Them

22 threads Sep 7, 2025 CoreEverything else wordpress

Content

Discovering unfamiliar user accounts in your WordPress dashboard can be alarming. This is a common security concern, but it's not always a sign of a malicious breach. This guide will help you understand why these users appear and the steps you can take to investigate and remove them safely.

Why Unknown Users Appear

There are several legitimate and illegitimate reasons why an unknown user might appear in your list:

  • Spam Registrations: If your site allows open user registration, bots can automatically create accounts. This is a widespread issue, as seen in Thread 19 where a user's site grew from 1,200 to over 9,000 users without corresponding sales.
  • Plugin or Theme Creation: Some plugins and themes create their own user accounts for system functions. For example, a WooCommerce-related user or demo accounts for a theme (like 'themedemos' or 'themereviewteam' mentioned in Thread 21) may appear. Deleting these can sometimes break site functionality.
  • Legitimate User Error: A real person may have registered with an unexpected username or email address.
  • Security Breach: In a worst-case scenario, an attacker could have gained access and created a backdoor user account.

How to Investigate and Remove Unknown Users

Follow these steps to securely handle unknown users.

1. Check Your Registration Settings

The first step is to see if your site is open for anyone to register. Go to your WordPress Dashboard > Settings > General and look for the "Membership" checkbox labeled "Anyone can register." If this is checked and you do not intentionally run a community site, unchecking it will prevent future spam registrations.

2. Identify the User's Role

In your Users list, examine the "Role" of the unknown account. An account with an Administrator role is a significant red flag and should be investigated immediately. Accounts with a Subscriber role are more likely to be spam registrations.

3. Safely Delete the User

If you are certain the user is not required by a theme or plugin, you can delete it. However, if the user has published content, you will be prompted to attribute their posts to another user account (like your own admin account) during deletion.

Warning: As noted in Thread 21, some users are created by themes or plugins. If you delete one and your site breaks (e.g., your homepage disappears), you will know it was a system account. Restore from a backup and seek support from your theme or plugin developer to understand the account's purpose.

For deleting a large number of users at once, consider using a bulk deletion tool like the WP Bulk Delete plugin.

4. Prevent Future Spam Registrations

Simply turning off registrations may not be ideal for sites that need legitimate users. To prevent spam bots from creating accounts, implement additional security measures:

  • Use a CAPTCHA: Plugins like Advanced noCaptcha & invisible Captcha can add a challenge to your registration form that bots cannot easily bypass.
  • Limit Registration to Checkout: If you run an e-commerce site with WooCommerce, change the settings to only allow account creation during the checkout process. This effectively stops idle or spam registrations, as suggested in Thread 22.
  • Employ a Security Plugin: A comprehensive security plugin can help block malicious traffic and login attempts that often accompany spam registration attacks.

When to Be Concerned

If you find an admin-level user you did not create, or if users keep reappearing after you delete them, your site's security may be compromised. In this case, you should initiate a full security audit.

By understanding the common causes and following these steps, you can confidently clean up your user list and secure your site against future unwanted registrations.

Related Support Threads Support