Additional User Operations

Overview

Beyond CRUD, WP-CLI supports advanced user workflows: metadata management, session control, capability audits, import/export pipelines, and multisite-aware automation.

What Counts as "Additional" User Operations

These tasks are essential in professional environments:

User metadata operations (profile and plugin-specific data)
Session management (inspect and destroy login sessions)
Application password workflows for API access
Bulk import/export for migrations and audits
Multisite user assignment and role control

User Metadata Management

Read User Meta

# List all metadata for a user
wp user meta list john

# Get specific key
wp user meta get john nickname

Update or Create Meta

# Update timezone preference
wp user meta update john locale en_US

# Set custom CRM identifier
wp user meta update john crm_contact_id 83924

Delete Meta Keys

# Remove stale metadata
wp user meta delete john legacy_plugin_flag

Metadata Hygiene

Periodically remove obsolete meta keys left behind by removed plugins to keep user records clean.

Session Management

List Active Sessions

wp user session list john --fields=token,login_time,expiration --format=table

Destroy Sessions (Security Response)

# Destroy one session token
wp user session destroy john <token>

# Destroy all sessions for user (force re-login everywhere)
wp user session destroy john --all

Destroy Sessions for All Users

# Useful after credential incident
wp user session destroy --all

Application Password Operations

Application passwords are useful for API integrations when full credentials should not be shared.

# Create app password for a user
wp user application-password create john "CI Integration"

# List app passwords
wp user application-password list john

# Delete one app password by UUID
wp user application-password delete john <uuid>

# Revoke all app passwords
wp user application-password delete john --all

Credential Handling

Store generated application passwords in a secret manager, not in scripts or shell history.

Bulk Import and Export Workflows

Export User Data

# Export essential fields to CSV
wp user list --fields=ID,user_login,user_email,roles,user_registered --format=csv > users-export.csv

# Export JSON for systems integration
wp user list --format=json > users-export.json

Generate Controlled Test Data

# Create 50 testing subscribers
wp user generate --count=50 --role=subscriber

# Verify generated users
wp user list --role=subscriber --format=count

Bulk Update from a Scripted List

#!/bin/bash
# set-editor-role-from-list.sh

while IFS= read -r login; do
  wp user set-role "$login" editor
done < editors.txt

Multisite User Operations

Add Existing User to a Subsite

# Add user to subsite with role
wp --url=shop.example.com user set-role john shop_manager

Audit Roles Per Subsite

#!/bin/bash
# multisite-role-audit.sh

for url in $(wp site list --field=url); do
  echo "=== $url ==="
  wp --url="$url" user list --fields=user_login,roles --format=table
done

Remove High Privileges from a Subsite

wp --url=blog.example.com user set-role contractor contributor

Real-World Scenarios

Scenario 1: Incident Response After Account Leak

# Rotate password
wp user update compromised-user --user_pass='Compromised!Fix2026'

# Revoke active sessions
wp user session destroy compromised-user --all

# Revoke API app passwords
wp user application-password delete compromised-user --all

Scenario 2: Standardize Profile Metadata

#!/bin/bash
# set-default-locale-for-editors.sh

for login in $(wp user list --role=editor --field=user_login); do
  wp user meta update "$login" locale en_US
done

Scenario 3: Remove Dormant Test Accounts

# Delete known test users and reassign content
wp user delete test1 test2 test3 --reassign=1

Scenario 4: API Integration Lifecycle

# Create app password for automation user
wp user application-password create api-bot "Nightly Sync"

# Later, revoke when integration is retired
wp user application-password delete api-bot --all

Best Practices

1. Treat Sessions as Security Controls

When passwords are changed after suspicious activity, always destroy sessions.

2. Keep Metadata Intentional

Document custom user meta keys and remove deprecated keys during maintenance.

3. Use Least Privilege in Multisite

Grant subsite-specific roles rather than broad admin privileges.

4. Prefer Application Passwords for Integrations

Avoid sharing primary login credentials with automation systems.

5. Make Bulk Changes Scriptable and Reversible

Export before and after snapshots for rollback/audit.

Troubleshooting

Command Not Available for Sessions or App Passwords

# Confirm WP-CLI command groups
wp help user

Update WP-CLI and WordPress core if subcommands are missing.

Metadata Not Changing as Expected

wp user meta get john locale
wp user meta list john --format=table

Check key spelling and plugin-specific meta behavior.

Multisite Role Changes Seem Incorrect

# Verify exact site context
wp --url=shop.example.com option get siteurl
wp --url=shop.example.com user get john --field=roles

Quick Reference

# Metadata
wp user meta list <user>
wp user meta get <user> <key>
wp user meta update <user> <key> <value>
wp user meta delete <user> <key>

# Sessions
wp user session list <user>
wp user session destroy <user> <token>
wp user session destroy <user> --all
wp user session destroy --all

# Application passwords
wp user application-password create <user> "<name>"
wp user application-password list <user>
wp user application-password delete <user> <uuid>
wp user application-password delete <user> --all

# Export
wp user list --format=csv > users.csv
wp user list --format=json > users.json

Summary

Area	Core Capability	Typical Use Case
User Meta	Read/update/delete profile metadata	Data cleanup, integrations
Sessions	Revoke active logins	Incident response
App Passwords	Scoped API credentials	Automation and integrations
Bulk Operations	Script user updates and exports	Migrations, governance
Multisite	Per-site role management	Network operations

Key Takeaway

Advanced user operations turn WP-CLI from a convenience tool into an operational control plane for security, governance, and automation.

Next Steps

Build core account lifecycle workflows: Create, Update, Delete Users
Improve audits and remote execution safety: Listing & Authentication
Continue to content operations: Content Management

What Counts as "Additional" User Operations​

User Metadata Management​

Read User Meta​

Update or Create Meta​

Delete Meta Keys​

Session Management​

List Active Sessions​

Destroy Sessions (Security Response)​

Destroy Sessions for All Users​

Application Password Operations​

Bulk Import and Export Workflows​

Export User Data​

Generate Controlled Test Data​

Bulk Update from a Scripted List​

Multisite User Operations​

Add Existing User to a Subsite​

Audit Roles Per Subsite​

Remove High Privileges from a Subsite​

Real-World Scenarios​

Scenario 1: Incident Response After Account Leak​

Scenario 2: Standardize Profile Metadata​

Scenario 3: Remove Dormant Test Accounts​

Scenario 4: API Integration Lifecycle​

Best Practices​

1. Treat Sessions as Security Controls​

2. Keep Metadata Intentional​

3. Use Least Privilege in Multisite​

4. Prefer Application Passwords for Integrations​

5. Make Bulk Changes Scriptable and Reversible​

Troubleshooting​

Command Not Available for Sessions or App Passwords​

Metadata Not Changing as Expected​

Multisite Role Changes Seem Incorrect​

Quick Reference​

Summary​

Next Steps​