Guide to Forcing User Logout in WordPress: When and How

Published 5 February 2024
Agnes Talalaev
SEO wizard at Patchstack
Table of Contents

Did you leave your WordPress account logged in on a shared computer? Are you worried that someone is using your account without your permission? Worry no more! Forcing user logout in WordPress is a feature that will help put your mind at rest.

In this post, we will briefly introduce the concept of WordPress sessions and explain how you can force log out a particular user account from desired devices. We will also take a look at some other ways of terminating WordPress sessions. 

Let’s get started!

WordPress User Sessions Explained

A user session is created when a user logs in to WordPress, and it is destroyed when the user logs out. User sessions allow WordPress to remember the user’s identity and preferences across different pages and requests.

The typical duration of user sessions in WordPress is 48 hours for normal users and 14 days for users who check the “Remember Me” option when logging in. However, this duration can be changed by using plugins or custom code. 

Why should you try forcing user logout in WordPress?

When you're done using your site, logging out is crucial because it stops anyone else from accessing your site without permission. If you do forget to log out, it's like leaving your front door unlocked, allowing anyone to sneak in.

There are huge risks with potentially allowing unauthorized access to your website, from malicious tampering that could mess up your website, to publishing unsuitable content, deleting content, and even accessing sensitive data, such as customer accounts.

Implementing a solid log-out system is like having a security guard for your site, making sure only the right people can access and use your WordPress space.

If you use your WordPress account on a shared computer and forget to log out, then someone else can access your account and modify your website without your permission.

Similarly, if someone steals your session cookies, the attacker will be unfettered to access your account.

If you don’t have a way to access the second system, your account will stay logged in until the session expires, which can take a long time.

Therefore, it is sometimes necessary to force-log out a user account.

Forcing logout programmatically

A manual logout is when a user clicks the “Log Out” link in the WordPress dashboard (or on the website). This will destroy their current session and cookie, but it will not affect any other sessions they might have on different devices or browsers. 

However, if you don’t have access to the user’s dashboard, you can force the user to logout by terminating the user’s session on the server.

To do this, log into your server via SSH and navigate to the root directory of your WordPress installation. In the WordPress directory, execute the following command to list all of the sessions of a given user. It can be used to view the session details, such as the login time, expiration time, IP address, and user agent. Make sure to replace the <user> with the username of your WordPress account.

wp user session list <user>
Forcing user logout in WordPress

In the above screenshot, we can see that all of the sessions of user Bob were listed in a tabular format. Along with the session details, the corresponding token is also displayed. We can now use this token to terminate a particular session using the following command:

wp user session destroy <user> <token>

Similarly, it is also possible to destroy all of the sessions of a given user. It can be used to force log out the user from all devices or browsers.

wp user session destroy <username> --all
Forcing user logout in WordPress

In the above screenshot, we can see that all of the WordPress sessions were removed for a particular user. 

Logging out all users

WordPress stores random values for the security keys and salts in the wp-config.php file. These values are used to create and validate the authentication cookies of the users.

When the security keys and salts are changed, all the existing authentication cookies become invalid, as they do not match the new values. This means that all the users who are logged in will be logged out automatically, and will need to log in again with their credentials.

However, the session tokens that are stored on the server will not be affected by the command, as they are independent of the security keys and salts.

This means the user sessions will remain on the server until they expire or are destroyed manually. To force logout all users on a WordPress website, execute the following command in the terminal:

wp config shuffle-salts
Forcing user logout in WordPress

The above screenshot shows how the command changes salts and keys for a particular WordPress installation. After this, the users will need to log in again, as their authentication cookies will be invalidated by the new security keys and salts.

Forcing logout using a plugin

You can also use several WordPress plugins to terminate sessions automatically. Here are some of the more popular plugins:

Inactive logout

Inactive Logout allows you to automatically log out idle users after a specified time. You can also display a custom message or a countdown before logging them out.

Additionally, you can enable the following options:

  • Disable Timeout Countdown: This option will remove the countdown warning and log out idle users directly.
  • Show Warn Message Only: When enabled, it will show the warning message but not log out the user.
  • Disable Concurrent Logins: This will prevent users from logging in from multiple devices or browsers at the same time.

Enable Redirect: This setting redirects users to a different page instead of showing a popup box after logging them out.

Forcing user logout in WordPress
Check out Inactive Logout on the Patchstack vulnerability database.
Go to Patchstack vulnerability database

Things to keep in mind before logging out users

Handling user logout carefully is important to avoid unintended consequences, such as losing data, breaking functionality, or upsetting users. Some things to consider are:

  • User feedback: It is recommended to inform the user why they are being logged out and what they can do next. For example, you can display a message, send an email, or redirect them to a page with more information. This can help the user understand the situation and prevent frustration or confusion.
  • Data preservation: It is a good practice to notify the user and allow them to save any data before logging out, especially if they are working on something that requires input or submission. 

Final thoughts

User sessions are an essential aspect of any WordPress website, as they allow users to access and interact with the site's features and content. However, unmonitored sessions also pose a security risk, as they can be hijacked, exploited, or abused by malicious actors. Therefore, it is crucial to maintain control over user sessions and ensure that they are terminated when they are no longer needed.

User security is a vital concern for any WordPress website owner, as it affects the reputation, reliability, and revenue of the site. By maintaining control over user sessions, website owners can protect their users and their sites from potential threats and attacks. 

If you are serious about your website security, you should sign up for Patchstack – a comprehensive security solution for WordPress websites.

Patchstack provides real-time protection, automated vulnerability management, a firewall, and more. With Patchstack, you can enjoy peace of mind and focus on growing your website. Sign up for a free forever plan of Patchstack today.

The latest in WordPress How-To's

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.