Do you ever wonder who is logged in to your WordPress site or multisite network right now? And what content they are reading, or what they are doing while logged in to your site? Knowing such information is crucial for a WordPress site owner or administrator. It will help you better manage your site and stay on top of the game.
You can use a WordPress session management plugin to know what your sub contractors or colleagues are doing when logged in to the site. Or if you run a subscription business you can find out how often your customers are logging in, what they are reading, and if they are sharing credentials to possible avoid paying subscription fees.
WordPress does not have features to manage and limit logged in users sessions. Though you can use the WP Security Audit Log plugin to implement WordPress user session control. This post explains why you need to limit and manage logged in WordPress users sessions, and how you can easily do it.
Why Do You Need a WordPress Users Sessions Management Plugin?
When we talk about WordPress users sessions we are referring to back-end users sessions; users who are logged in to your WordPress. Not the anonymous website visitors. To keep a log of anonymous website visitors you can use the free tool Google Analytics.
Depending on how busy your WordPress site or multisite network is, you might have a variety of users who login and interact with your website. To mention a few:
- Other administrators who can do any type of change on your site
- Administrators of sub-sites in case of a multisite network
- Developers or designers who build and help you solve technical site issues
- Editors and guest authors who contribute content to your website
- Paying Customers
The more users you have the more vital it is to have a WordPress session tracking solution, such as a WordPress activity log plugin to keep a record of what users are doing on your site. There are several benefits to keeping an activity log on your WordPress site, one of which is that you can use the data to see who is logged in.
How to See Who Is Logged in To Your WordPress Site & Multisite Network
You can see who is logged in to your site by reading back through the WordPress activity log. Though such method is very impractical and inaccurate. So in the premium edition of the WP Security Audit Log you can use the WordPress users sessions management module, which is like a WordPress session plugin on steroids!
When you click the Logged In Users node in the activity log plugin menu you can see:
- Who is logged in to your site right now and their role
- When their session started and when it will expire if the user does not log out
- The source IP address from where the user is connecting
- The users’ latest change on the WordPress site
- On which website is the user logged in to in case of multisite network
Identifying Multiple Same User Connections on You WordPress Site
By default WordPress does not have restrict simultaneous sessions for the same user. Therefore a group of people can login to WordPress with the same username at the same time. The WP Security Activity Log plugin keeps a record of multiple simultaneous user sessions with event 1005, in which it also reports the source IP of the other session.
In the Logged In Users view simultaneous sessions with the same username are grouped together so you can easily spot them, as can be seen from the sessions of the user m3el1nKy in the below screenshot. You can also terminate a session by clicking the Terminate Session button next to the session in question.
As a security best practice multiple same user sessions at the same time should not be allowed. For example if a group of people use the same WordPress user it is impossible for the site admin to know who did what. This is also a problem for subscription businesses, because many people share their credential to avoid paying a subscription fee. Not to mention that sharing of WordPress credentials encourages weak passwords.
How to Limit, Block & Manage Simultaneous WordPress Sessions With Same Username
The Users Sessions Management module in the WP Security Audit Log plugin allows you to:
- Limit the number of simultaneous sessions a username can have
- Block simultaneous sessions for the same username
- Configure override options for existing logged in users sessions
Refer to the technical document limiting and blocking simultaneous users sessions in WordPress for more detailed information on all the settings and how to configure them.
Always run some tests before configuring any restrictions. I recommend to first limit the number of simultaneous sessions to two. Run the site on these setting for a few weeks and keep an eye on user activity and logged in users sessions. Some users might complain, but certainly worth waiting. If there are no user issues for a few weeks go ahead and block simultaneous connections.
Get Instantly Notified of Multiple or Blocked WordPress Users Sessions
The WP Security Audit Log plugin uses two event IDs to keep a record of simultaneous sessions with the same username or blocked sessions. It uses:
- Event ID 1004 to keep a record of a blocked user session
- Event ID 1005 to keep a lot of simultaneous sessions with the same username
Since the WordPress activity log plugins keeps a log of such events, you can use the plugin’s instant notifications & alerts to configure notifications and receive an email when either event ID 1004 or event ID 1005 are recorded in the WordPress activity log.
Take Back Control of Your WordPress Site By Better Managing Users Sessions
Keeping a record of all the changes that happen on your site in a WordPress activity log will certainly help you better manage it. Though for real-time control on WordPress users sessions use the WordPress users sessions management module to:
- See who is logged on your site in real-time
- See every user’s latest change
- Limit the number of simultaneous sessions a user can have
- Instantly terminate a user session with a click of a button.