Managing logged in WordPress users sessions

You are here:
Back

You can manage and control simultaneous user sessions on your WordPress site with the Users Sessions Management for WordPress feature. With this feature you can control for example how many simultaneous logged in sessions the same WordPress user is allowed, or block them.

Table of content

Why should you manage multiple same user sessions?

By default WordPress allows the same user to have multiple simultaneous sessions. So if someone from the US office logs in to WordPress with the username Robert, someone else can use the same user Robert to login from the European office.

As a security best practices usernames should not be shared otherwise you won’t be able to use the WordPress activity log to track down who did what. Also, if you have a user subscription business, by default you cannot control who logs in, so a paying customer can share the credentials with others to access the paid content for free.

Blocking multiple same user sessions can also work as a security feature – in case a hacker guesses the password of another user, he cannot login while the other user is logged in, thus keeping the hacker out. And when the malicious attacker tries to login and his session is blocked, the administrator receives an email alert about the suspicious activity, allowing them to take the necessary evasive actions.

Managing simultaneous sessions per WordPress Users

Settings to manage simultaneous logged in sessions for WordPress user

Limiting the number of simultaneous sessions per WordPress user

By default the plugin does not change WordPress’ functionality, so it allows a WordPress user to have multiple simultaneous logged in sessions. Follow the below procedure to configure the plugin to limit the number of simultaneous logged in sessions a WordPress user can have:

  1. Click on the Logged in Users entry in the plugin menu
  2. Open the Users Sessions Management tab
  3. Set the setting Multiple Sessions to Allow up to and specify the number of simultaneous sessions you would like to allow per user.
  4. Save the settings.

When you configure the plugin to allow up to three sessions, the fourth individual who tries to login with the same username will be blocked.

Blocking multiple simultaneous sessions for the same WordPress user

If you do not want to allow users to have simultaneous sessions, you can block them. Here is how to block them:

  1. Click on the Logged in Users entry in the plugin menu
  2. Open the Users Sessions Management tab
  3. Set the setting Multiple Sessions to Block.
  4. Set the setting Allow blocked sessions to override existing sessions to No, do not allow override.

When a user’s session is blocked, the user will be shown the following notification when trying to login. You can change the notification text from the Blocked Session Error in the same settings page.

A WordPress user is blocked from logging in because the user is in use by another session.

Allow blocked sessions to override existing logged in sessions

You can also configure the WP Security Audit Log plugin to allow the blocked sessions to override existing sessions. There are two ways you can allow this:

Terminate existing session

If you select this option, once someone tries to login with the user robertthe logged in session with the user robert will be terminated without warning. This might result in unsaved work.

Terminate existing session with override password

If you select this option you have to specify the override password in the plugin’s settings. When this option is enabled, the user attempting to login to WordPress have to specify an override password if an existing logged in session exists for the same username.

WordPress logged in session override

If the correct credentials and override password are provided, the existing logged in WordPress user session with the same username is terminated without warnings and the new user session is allowed to login.

Get Notified of Simultaneous & Blocked User Sessions

 

The activity log plugin keeps a log when a user session is blocked or when a user has simultaneous sessions using the below events:

  • Event ID 1004 to keep a record of a blocked user session
  • Event ID 1005 to keep a lot of simultaneous sessions with the same username

You can configure notifications in the plugin so you are alerted via email when a WordPress users session is blocked or there are simultaneous same user sessions, as explained in the post How to Limit & Manage Users Sessions in WordPress Sites & Multisite Networks.