Just like banks and sensitive apps, your WordPress website can benefit from an extra layer of security by automatically logging out inactive users.
In our experience, this is a simple yet effective way to prevent unauthorized access, especially if a user forgets to log out from a shared device.
This article provides a step-by-step guide to setting up automatic logouts for idle users. This makes sure they’ll be prompted to log back in and verify their identity after being inactive.
Why Automatically Log Out Idle Users in WordPress?
Idle users pose a security risk to your WordPress website. If someone on your team leaves their laptop unattended at a coffee shop or library, then a stranger may be able to see sensitive information, change their password, or even publish or delete some posts.
Inactive WordPress users also leave your website more vulnerable to hackers. They may be able to run scripts and take over the user’s account.
That’s why it’s a good security practice to automatically log out users who have become inactive and hide the content on their screen.
With that being said, let’s take a look at how to automatically log out idle users in WordPress using two different methods. You can use the quick links below to jump straight to the method you prefer:
Method 1: How to Automatically Log Out Idle Users in WordPress Using Code (Recommended)
The quickest way to automatically log out inactive users in WordPress is by using the WPCode plugin.
WPCode allows you to easily add custom code in WordPress without editing your theme’s functions.php file, so you don’t have to worry about breaking your site.
Plus, the plugin comes with a huge library of ready-made code snippets, including an auto-logout inactive users snippet, that you can add in a couple of clicks.
To get started, you need to install and activate the free WPCode plugin. If you need help, see our guide on how to install a WordPress plugin.
Upon activation, go to Code Snippets » + Add Snippet from your WordPress dashboard.
From there, search for the ‘Auto-logout inactive users’ snippet in the library. When you find it, hover over it, and click the ‘Use snippet’ button.
WPCode will then automatically add the code for you and select the proper insertion method.
After that, all you need to do is toggle the switch from ‘Inactive’ to ‘Active’ and click the ‘Update’ button.
That’s it. Now users will be automatically logged out of your WordPress website after 10 minutes of inactivity.
Method 2: How to Automatically Log Out Idle Users in WordPress Using a Plugin
For this method, the first thing you need to do is install and activate the Inactive Logout plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.
Upon activation, simply go to Settings » Inactive Logout page to configure the plugin.
First, you need to enter the idle time after which a user will be automatically logged out. You can enter the time in minutes and make sure it is not too short or too long.
After that, you can enter a message that you want to be displayed to inactive users.
Below the message field, you will find more plugin options to change the auto logout functionality. The default settings will work for most websites, but you can change them if you want.
You can enable the ‘Popup Background’ option if you want to change the background color of the screen when a user session times out. This will cover the user’s browser screen to keep the contents hidden from prying eyes.
The ‘Disable Timeout Countdown’ option will remove the countdown warning and will directly log out idle users.
If you don’t want to use the automatic logout feature, then you can check the ‘Show Warn Message Only’ option. Now the warning message will be displayed, but the user will not be logged out.
The ‘Disable Concurrent Logins’ option will stop your users from using the same account from different devices or browsers at the same time.
By default, the plugin displays a login popup and does not redirect users. You can enable the ‘Enable Redirect’ option to redirect users to any page you want.
After you have reviewed and changed your settings, don’t forget to click on the ‘Save Changes’ button to store them.
Setting Up Different Timeout Settings Based on User Roles
If you want to set idle timeout rules based on user roles and capabilities, then you can do so under the ‘Advanced Management’ tab on the plugin’s settings page.
First, you need to select the user roles that you want to set up differently from the global settings. After that, you will be able to select a different timeout period and redirect or even disable timeout settings for that user role.
Once you are satisfied with the settings, make sure you click the ‘Save Changes’ button.
To see the plugin in action, you can log in to your WordPress site and do nothing for the timeout duration in the plugin’s settings. After that, you will see a countdown timer popup appear.
You can click the ‘Continue’ button to resume working without expiring the session.
Users who don’t click the ‘Continue’ button will be logged out and will see the login screen.
Bonus: How to Add More Security with Two-Factor Authentication
Now, one problem with this approach is that many users save their passwords using a password manager or their browser’s built-in password storage feature.
This means that their login popup will already have their username and password fields filled in. Any person can just click on the login button to access their account while they are away.
You can make unauthorized access more difficult by adding two-step verification to the WordPress login screen.
This requires users to enter a unique one-time password generated by an app on their phone. For detailed instructions, see our guide on how to add two-factor authentication in WordPress.
Expert Guides on Protecting WordPress Login
We hope this article helped you learn how to automatically log out idle users in WordPress. You may also want to see some additional ways to protect your login screen:
- How and Why You Should Limit Login Attempts in WordPress
- How to Add CAPTCHA in WordPress Login and Registration Form
- How to Add Security Questions to the WordPress Login Screen
- How to Add Passwordless Login in WordPress with Magic Links
- How to Disable Login Hints in WordPress Login Error Messages
- How To Add Social Login To WordPress (The Easy Way)
- How to Add a Custom Login URL in WordPress (Step by Step)
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Syed Balkhi
Hey WPBeginner readers,
Did you know you can win exciting prizes by commenting on WPBeginner?
Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
You can get more details about the contest from here.
Start sharing your thoughts below to stand a chance to win!
Jiří Vaněk
I used the snippet, and it works perfectly. I have a website where more people are now logging in thanks to MemberPress. I was a bit concerned about security and ensuring that users follow some security guidelines. This helped me at least set up a system to log out inactive users, which, for me, is the first step toward greater security. Perfect in my opinion.
car
What about manually configure automatic logout idle users? Do You have any recipe?
WPBeginner Support
At the moment we do not have a recommended method without using a plugin
Admin
Gina Davis
I’m looking at ‘Inactive Logout’ It was updated a week ago.
I have a co-worker holding a post hostage. So going to use this to kick from the post & website. I hope.
Jesse Brede
Yeah, this is no longer a working solution.
David
Has anyone found plugin that will do the same thing, but that is actively updated? Reading the forum for WP Idle Logout, people are reporting it is buggy current versions of WP.
Thanks.
esp
this plugin hasn’t been updated for a while and isn’t tested in WP 4.1 too bad
Yoshitoka
True story. I had some trouble myself with this plugin. I had to login twice before I was able to get to the wp-admin part with this plugin enabled.