diff --git a/apiserver/plane/app/serializers/user.py b/apiserver/plane/app/serializers/user.py
index 05d8665b5..ec26eb1a2 100644
--- a/apiserver/plane/app/serializers/user.py
+++ b/apiserver/plane/app/serializers/user.py
@@ -16,26 +16,39 @@ from .base import BaseSerializer
 class UserSerializer(BaseSerializer):
     class Meta:
         model = User
-        fields = "__all__"
+        # Exclude password field from the serializer
+        fields = [
+            field.name
+            for field in User._meta.fields
+            if field.name != "password"
+        ]
+        # Make all system fields and email read only
         read_only_fields = [
             "id",
+            "username",
+            "mobile_number",
+            "email",
+            "token",
             "created_at",
             "updated_at",
             "is_superuser",
             "is_staff",
+            "is_managed",
             "last_active",
             "last_login_time",
             "last_logout_time",
             "last_login_ip",
             "last_logout_ip",
             "last_login_uagent",
-            "token_updated_at",
+            "last_location",
+            "last_login_medium",
+            "created_location",
             "is_bot",
             "is_password_autoset",
             "is_email_verified",
             "is_active",
+            "token_updated_at",
         ]
-        extra_kwargs = {"password": {"write_only": True}}
 
         # If the user has already filled first name or last name then he is onboarded
         def get_is_onboarded(self, obj):
@@ -208,9 +221,15 @@ class ProfileSerializer(BaseSerializer):
     class Meta:
         model = Profile
         fields = "__all__"
+        read_only_fields = [
+            "user",
+        ]
 
 
 class AccountSerializer(BaseSerializer):
     class Meta:
         model = Account
         fields = "__all__"
+        read_only_fields = [
+            "user",
+        ]