Yes.
By either changing the password and ticking the checkbox here https://app.plex.tv/desktop/#!/settings/account
or
by performing the “password reset” routine as instructed in the original email.
The latter requires you to wait for an email with a reset code, so I recommend to use the first method whenever possible.
Yes, definitely. The server uses an acces token just like all the clients do. Leaving this token intact means to leave an intrusion vector wide open.
Here is an easier/less dangerous method for Windows-based servers: You need to reclaim your server, but don't dare to touch the Windows Registry
Here is an equivalent for LINUX-based server platforms (that includes almost all NAS brands): Server credential reset utility for Linux-based platforms
Leave them alone. While deleting these devices will also revoke the access tokens, in the case of the server it will also give them a new “identity”. Which means you’ll have to re-create all library access grants.
The checkbox during the password change is less destructive, as it only revokes the tokens, but doesn’t destroy the device ID.
You will still be vulnerable if an attacker picks that token to try and connect to your account/server.
“Plex friend” users with whom you shared your media here https://app.plex.tv/desktop/#!/settings/manage-library-access are using their own plex.tv user account. Which means they are also using their own access tokens and thus need to perform the same PW change procedure as you.
