Home / Security / Audit and remove unused admin accounts and plugins
Defensive & Operational · Security Ring

Audit and remove unused admin accounts and plugins

1-2 hr Impact: high Effort: low ✓ Manual completion

Old admin accounts and unused plugins left installed, even inactive ones, represent real attack surface, an unused plugin with a known vulnerability is just as exploitable whether you actively use it or not, since the vulnerable code is still present.

Attackers specifically scan for known vulnerabilities in installed plugins and themes, whether active or not, removing what you do not genuinely need shrinks your actual attack surface.

How to do it

  1. 1
    Audit every admin account with access
    Remove or downgrade access for anyone who no longer needs it, former employees, old contractors, unused service accounts.
  2. 2
    Audit every installed plugin or extension
    Identify anything not genuinely in active use.
  3. 3
    Remove unused plugins entirely, not just deactivate
    A deactivated plugin can still contain exploitable code sitting on your server, full removal is the real fix.
  4. 4
    Repeat this periodically
    This tends to accumulate again over time as new tools get tried and abandoned.

Common mistakes

How you will know it is done

No unused admin accounts or plugins remain, everything present is genuinely in active use.

Track this in your hive

The Security Ring turns this into a real, permanent mission — mark it complete once you have genuinely done it.

Open this mission in H.I.V.E. →