Managing logged in WordPress users sessions

You are here:

With the Users Sessions Management for WordPress feature you can manage, limit and also block simultaneous user sessions on your WordPress site . This feature manual explains in detail how you can configure any of these settings.

Table of content

Why should you manage multiple same user sessions?

By default WordPress allows the same user to login multiple times simultaneously. This means that if someone from the US office logs in to WordPress with the username Robert, someone else can login with the same user Robert from the European office.

As a security best practices usernames should not be shared. Otherwise, you can’t use the WordPress activity log to track down who did what. Also, if you have a user subscription business, paying customer can share the credentials with others to access the paid content for free.

Blocking multiple same user sessions can also work as a security feature – in case a hacker guesses the password of another user, he cannot login to that session while the other user is logged in, thus keeping the hacker out. And when the malicious attacker tries to login and his session is blocked, the administrator receives an email alert about the suspicious activity, allowing them to take the necessary evasive actions.

Managing simultaneous users sessions on WordPress

You can manage the WordPress users sessions with the WP Activity Log plugin. The plugin allows you to configure different sessions policies for every role you have on your website, including custom WordPress user roles.

The WordPress users sessions management settings

Configuring users sessions settings per WordPress user role

By default, any users sessions policy you configure in the All tab applies to all users on the website. However, you can exclude all the users with a specific role from the policies, or configure different policies for different user roles. You can do so by clicking on the role’s tab and configure the appropriate policies.

Example; if you do not want to enforce any policies on users with the Editor role, click on the Editor tab and enable the setting Do not enforce policies on users with this role.

Exclude users with a specific user role from the policies

If for example, you want to configure different users sessions policies for a specific role, untick the setting Inherit the sessions policies and configure the policies you want for that role in the role’s tab. Always save the settings once ready.

Limiting the number of simultaneous sessions per WordPress user

By default the plugin allows a WordPress user to have multiple simultaneous logged in sessions. Follow the below procedure to configure the plugin to limit the number of simultaneous logged in sessions a WordPress user can have:

  1. Click on the Logged in Users entry in the plugin menu
  2. Open the Users Sessions Management tab
  3. Set the setting Multiple Sessions to Allow up to and specify the number of simultaneous sessions you would like to allow per user.
  4. Save the settings.

When you configure the plugin to allow up to three sessions, the fourth individual who tries to login with the same username will be blocked.

Blocking multiple simultaneous sessions for the same WordPress user

If you do not want to allow users to have simultaneous sessions, you can block them. Here is how to block them:

  1. Click on the Logged in Users entry in the plugin menu
  2. Open the Users Sessions Management tab
  3. Set the setting Multiple Sessions to Allow one session only.

Automatically terminate idle users sessions

You can configure WP Activity log to also terminate idle WordPress users sessions. This is a recommended security best practice which admins should implement.

Get Notified of Simultaneous & Blocked User Sessions

The activity log plugin keeps a log when a user session is blocked or when a user has simultaneous sessions using the below events:

  • Event ID 1004 to keep a record of a blocked user session
  • Event ID 1005 to keep a lot of simultaneous sessions with the same username

You can configure notifications in the plugin so you are alerted via email when a WordPress users session is blocked or there are simultaneous same user sessions, as explained in the post How to Limit & Manage Users Sessions in WordPress Sites & Multisite Networks.