<b>Least-Privilege Role Cleanup SOP</b>

<b>Least-Privilege Role Cleanup SOP</b>
Run quarterly on every WordPress install.

— Step 1: Count your Administrators. More than 2-3 on a normal site is a finding, not a feature.
— Step 2: Demote content people. Writers get Author, reviewers get Editor. Nobody publishes copy from an Admin account.
— Step 3: Remove <code>edit_files</code>, <code>install_plugins</code>, and <code>update_core</code> from any custom role that doesn't deploy.
— Step 4: Set <code>DISALLOW_FILE_EDIT</code> to true in <code>wp-config.php</code> — kill the in-dashboard code editor entirely.
— Step 5: Delete dormant accounts. No login in 90 days = disable, then remove after review.
— Step 6: Reassign orphaned content before deletion so nothing breaks.

Run this every time.