Offboarding a staff member across all your systems
A complete checklist for safely removing a departing team member's access to WordPress, Google Workspace, Microsoft 365, hosting, passwords, and more.
When someone leaves your team — whether on good terms or not — their access to your systems must be removed promptly and completely. An overlooked account is an open door.
This guide gives you a complete, system-by-system checklist. It's the reverse of the onboarding checklist — and if you documented access when they joined, this becomes much easier.
Quick summary
Start with email and hosting — those are the highest-risk accounts. Work through every other system using your access record from onboarding. Transfer any files or data before deleting accounts. If the departure is not on good terms, act on the same day you learn about it.
Departures on bad terms — act today
If the departure is hostile, contentious, or you have any reason to believe the person may misuse access, complete this checklist on the same day. Do not wait. Change any shared passwords immediately. Contact us if you need help moving quickly.
Before you start
- Retrieve the access record you kept from their onboarding. (If you didn't keep one, work through this checklist system by system.)
- Decide whether their email address needs to stay active to catch incoming messages. You can usually redirect it to a colleague without keeping the account alive.
- Confirm who is taking over any tasks, projects, or ongoing work in each system.
- Allow adequate time — rushing leads to missed accounts.
Email & productivity suite
Google Workspace
Transfer their files first. Before removing the account, transfer their Google Drive files to a colleague or to a shared drive. Go to the Admin console, find the user, and use the data transfer option. See transferring files when someone leaves.
Set up an out-of-office or redirect on their Gmail if business emails will still arrive at their address. You can set a vacation responder or create a forwarding rule before disabling the account. See setting a vacation responder.
Remove them from Groups and Shared Drives. Go to Directory > Groups and remove them from all mailing lists. Then go to each Shared Drive they had access to and remove them as a member. See shared drives explained.
Suspend or delete the account. Suspending preserves their data and email; deleting removes the account permanently. Suspend first if you're not sure — you can delete later. Go to Users, find the account, and choose Suspend user or Delete user. See removing a user safely.
Microsoft 365
Transfer or save their files first. Download or move files from their OneDrive before deleting the account. Once the account is deleted, file recovery has a limited window. See transferring files when someone leaves.
Set an auto-reply on their Outlook account if business emails will still arrive there. Do this from the admin center before blocking or removing the account.
Remove them from distribution groups and shared mailboxes. Go to the admin center, open each group or mailbox they had access to, and remove their membership. See distribution groups & lists.
Block sign-in and remove their license. In the admin center, go to Users > Active users, select the account, and choose Block sign-in. This immediately prevents login while preserving their data. See removing a user safely.
Delete the account after a suitable holding period (typically 30 days). The admin center will prompt you to reassign their license.
WordPress
Remove or downgrade their account. Log in to WordPress and go to Users. If they were an Editor or lower, delete the account and reassign their posts to another user when prompted. If they were an Administrator, first remove the Administrator role before deleting, to confirm you're not accidentally locking yourself out. See how to remove a user safely.
Check for application passwords. In WordPress, application passwords (used for API access) are separate from the main login. Go to Users, click their name, scroll to Application Passwords, and revoke any that exist.
Rotate the admin password if any shared WordPress admin credentials were in use. It's better practice to use individual accounts, but if sharing happened, change the shared password now.
Hosting
Remove their collaborator access in your hosting dashboard. The steps vary by host:
- Flywheel: manage users in your Flywheel dashboard under the site settings.
- WP Engine: remove them in the WP Engine User Portal under your account's user management.
- Kinsta: remove them from MyKinsta under your company's team settings.
Revoke any SSH/SFTP keys they may have added. Check your hosting dashboard's SSH key management section and remove any keys linked to them.
Change FTP/SFTP passwords if any shared credentials were in use.
Password manager
Remove them from the organization vault. In your password manager's admin settings, revoke their membership. This immediately prevents access to all shared vault entries.
Rotate any passwords they had access to. Once removed from the vault, they no longer see new updates — but they may remember passwords from before. Rotate the passwords for any critical systems they could access. Prioritize: hosting, domain registrar, billing accounts, WordPress admin.
Two-factor authentication (2FA) devices
Revoke their trusted devices from every platform that allows it. In Google Workspace, go to the Admin console, find their account, and look for enrolled security keys or trusted devices to remove.
Remove them from any shared authenticator setups. If any 2FA was set up on a shared phone or device, remove those codes from the device.
Domain registrar
Remove their delegate access from your registrar account. Log in to your registrar (GoDaddy, Namecheap, etc.) and go to account settings or access management to revoke their permissions.
Verify the primary account email is not theirs. If the registrar account uses their email address as the contact, update it to a shared business email (like admin@yourbusiness.com) now. This is critical — if the contact email belongs to a former employee, they could receive renewal notices and account recovery emails.
Other systems
Work through every system on your access record. Common examples:
| System | Steps |
|---|---|
| ClickUp | Go to your workspace settings and remove or deactivate their member account. |
| Google Analytics | Remove them from the GA4 property's user management. |
| Google Search Console | Remove them from property user management. |
| Meta Business Manager | Remove them from Business Settings > People. |
| Mailchimp / Klaviyo | Remove them from the account's user or team settings. |
| Stripe | Remove from Stripe Dashboard > Team. |
| Shopify | Remove staff from Shopify Settings > Users and permissions. |
| Cloudflare | Remove from your Cloudflare account's Members section. |
| GitHub | Remove from your organization's team in GitHub. |
| Figma | Remove from the team or project settings in Figma. |
After the checklist
When you're done
Confirm these are complete:
- Email account suspended or deleted, files transferred
- WordPress account removed and posts reassigned
- Hosting access revoked
- Password manager membership removed, critical passwords rotated
- Domain registrar access revoked, contact email updated
- All other systems cleared from your access record
- Any shared passwords changed
Update your access record. Note the date of removal for each system. This is useful for audits and for confirming the offboarding is complete.
Keep their email address active for 30 days (as a suspended account or redirect) to catch any business correspondence that arrives.
Run a quick security check after the offboarding. See the business security checklist for a post-offboarding review.
Common questions
Related guides
- Onboarding a new staff member
- Security steps when someone leaves
- Removing a user safely in WordPress
- Removing a user in Google Workspace
- Removing a user in Microsoft 365
- Transferring files when someone leaves (Google)
- Transferring files when someone leaves (Microsoft)
Need a hand?
Onboarding a new staff member across all your systems
A complete checklist for giving a new team member the right access to WordPress, Google Workspace, Microsoft 365, hosting, passwords, and more.
Troubleshooting — start here
Find calm, step-by-step help for the most common website and business-tool problems.