Allow Only One Logged in Session for WordPress Users

WordPress allows multiple logged in sessions by default, you can login to unlimited sessions/devices at the same time. By default, there is no way to know how many active sessions you’re logged in currently. You won’t be able to logout other sessions if you don’t have access to WordPress back-end admin access.

If you have access to WordPress back-end, you can logout other sessions by clicking “Log Out Everywhere Else” button in your profile editing page. But if your WordPress users are not allowed to access WordPress back-end (wp-admin) profile page and you want to allow only one active sessions for users, what’s the solution for that?

Allow Only One Session for WordPress Users

If a user can’t logout from inactive sessions, the user account can be accessible by other people. Suppose a user logged in your WordPress site from a public computer and forgot to logout or couldn’t logout. After that, anyone uses the computer can access the account and can change/delete/update the account information.

You can apply the custom function to stop this from happening and to strengthen user security. The function will automatically logout all other inactive sessions when users logged in a new session.

// Allow only one logged in session for WordPress users
function wp_destroy_all_other_sessions() {
    $token = wp_get_session_token();
    if ( $token ) {
        $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
        $manager->destroy_others( $token );
    }
}
add_action('init', 'wp_destroy_all_other_sessions');

Users don’t need to click “Log Out Everywhere Else” button anymore, the function will do it automatically. You can add the function in your theme’s functions.php, your own plugin or Functionality plugin.

2 Comments on this.

Leave a Reply

Your email address will not be published. Your comments must follow our guidelines.