Do you want to automatically log out idle users in WordPress?
As a security-conscious site admin, you may want to force inactive users to log in again. Banking websites and apps log out idle users to stop unauthorized users from accessing accounts. You can do the same on your own WordPress website to improve security.
In this article, we will show you how to automatically log out inactive users in WordPress. Once logged out, users will be asked to log in again to resume what they were doing.
Why Automatically Log Out Idle Users in WordPress?
Idle users pose a security risk to your WordPress website. If someone on your team leaves their laptop unattended at a coffee shop or library, then a stranger may be able to see sensitive information, change their password, or even publish or delete some posts.
Inactive users also leave your website more vulnerable to hackers. They may be able to run scripts and take over the user’s account.
That’s why it’s a good security practice to automatically log out users who have become inactive and hide the content on their screen.
With that being said, let’s take a look at how to automatically log out idle users in WordPress.
How to Automatically Log Out Idle Users in WordPress
The first thing you need to do is install and activate the Inactive Logout plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.
Upon activation, simply go to Settings » Inactive Logout page to configure the plugin.
First, you need to enter the time after which a user will be automatically logged out. You can enter the time in minutes and make sure it is not too short or too long.
After that, you can enter a message that you want to be displayed to inactive users.
Below the message field, you will find more plugin options to change logout functionality. The default settings will work for most websites, but you can change them if you want.
You can enable the ‘Popup Background’ option if you want to change the background color of the screen when a user session times out. This will cover the user’s browser screen to keep the contents hidden from prying eyes.
The ‘Disable Timeout Countdown’ option will remove the countdown warning and will directly log out idle users.
If you don’t want to use the auto-logout feature, then you can check the ‘Show Warn Message Only’ option. Now the warning message will be displayed but the user will not be logged out.
The ‘Disable Concurrent Logins’ option will stop your users from using the same account from different devices or browsers at the same time.
By default, the plugin displays a login popup and does not redirect users. You can enable the ‘Enable Redirect’ option to redirect users to any page you want.
After you have reviewed and changed your settings, don’t forget to click on the ‘Save Changes’ button to store them.
Setting Up Different Timeout Settings Based on User Roles
If you want to set timeout rules based on user roles and capabilities, then you can do so under the ‘Advanced Management’ tab on the plugin’s settings page.
First, you need to select the user roles that you want to set up differently from the global settings. After that, you will be able to select a different timeout period and redirect, or even disable timeout settings for that user role.
Once you are satisfied with the settings, make sure you click the ‘Save Changes’ button.
To see the plugin in action, you can log in to your website and do nothing for the timeout duration in the plugin’s settings. After that, you will see a countdown timer popup appear.
You can click the ‘Continue’ button to resume working without expiring the session.
Users who don’t click the ‘Continue’ button will be logged out and will see the login screen.
How to Add More Security with Two-Factor Authentication
Now one problem with this approach is that many users save their passwords using a password manager or their browser’s built-in password storage feature.
This means that their login popup will already have their username and password fields filled in. Any person can just click on the login button to access their account while they are away.
You can make unauthorized access more difficult by adding two-step verification to the WordPress login screen.
This requires users to enter a unique one-time password generated by an app on their phone. For detailed instructions, see our guide on how to add two-factor authentication in WordPress.
We hope this article helped you learn how to automatically log out idle users in WordPress. You may also want to see our ultimate WordPress security guide or our expert pick on the best drag-and-drop WordPress page builders.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
What about manually configure automatic logout idle users? Do You have any recipe?
WPBeginner Support says
At the moment we do not have a recommended method without using a plugin
Gina Davis says
I’m looking at ‘Inactive Logout’ It was updated a week ago.
I have a co-worker holding a post hostage. So going to use this to kick from the post & website. I hope.
Jesse Brede says
Yeah, this is no longer a working solution.
Has anyone found plugin that will do the same thing, but that is actively updated? Reading the forum for WP Idle Logout, people are reporting it is buggy current versions of WP.
this plugin hasn’t been updated for a while and isn’t tested in WP 4.1 too bad
True story. I had some trouble myself with this plugin. I had to login twice before I was able to get to the wp-admin part with this plugin enabled.