Do you want to automatically log out idle users in WordPress?
As a security-conscious site admin, you may want to force inactive users to log in again. Banking websites and apps log out idle users to stop unauthorized users from accessing accounts. You can do the same on your own WordPress website to improve security.
In this article, we will show you how to automatically log out inactive users in WordPress. Once logged out, users will be asked to log in again to resume what they were doing.
Why Automatically Log Out Idle Users in WordPress?
Idle users pose a security risk to your WordPress website. If someone on your team leaves their laptop unattended at a coffee shop or library, then a stranger may be able to see sensitive information, change their password, or even publish or delete some posts.
Inactive users also leave your website more vulnerable to hackers. They may be able to run scripts and take over the user’s account.
That’s why it’s a good security practice to automatically log out users who have become inactive and hide the content on their screen.
With that being said, let’s take a look at how to automatically log out idle users in WordPress.
How to Automatically Log Out Idle Users in WordPress
Upon activation, simply go to Settings » Inactive Logout page to configure the plugin.
First, you need to enter the time after which a user will be automatically logged out. You can enter the time in minutes and make sure it is not too short or too long.
After that, you can enter a message that you want to be displayed to inactive users.
Below the message field, you will find more plugin options to change the logout functionality. The default settings will work for most websites, but you can change them if you want.
You can enable the ‘Popup Background’ option if you want to change the background color of the screen when a user session times out. This will cover the user’s browser screen to keep the contents hidden from prying eyes.
The ‘Disable Timeout Countdown’ option will remove the countdown warning and will directly log out idle users.
If you don’t want to use the auto-logout feature, then you can check the ‘Show Warn Message Only’ option. Now the warning message will be displayed, but the user will not be logged out.
The ‘Disable Concurrent Logins’ option will stop your users from using the same account from different devices or browsers at the same time.
By default, the plugin displays a login popup and does not redirect users. You can enable the ‘Enable Redirect’ option to redirect users to any page you want.
After you have reviewed and changed your settings, don’t forget to click on the ‘Save Changes’ button to store them.
Setting Up Different Timeout Settings Based on User Roles
If you want to set timeout rules based on user roles and capabilities, then you can do so under the ‘Advanced Management’ tab on the plugin’s settings page.
First, you need to select the user roles that you want to set up differently from the global settings. After that, you will be able to select a different timeout period and redirect or even disable timeout settings for that user role.
Once you are satisfied with the settings, make sure you click the ‘Save Changes’ button.
To see the plugin in action, you can log in to your website and do nothing for the timeout duration in the plugin’s settings. After that, you will see a countdown timer popup appear.
You can click the ‘Continue’ button to resume working without expiring the session.
Users who don’t click the ‘Continue’ button will be logged out and will see the login screen.
Bonus: How to Add More Security with Two-Factor Authentication
Now, one problem with this approach is that many users save their passwords using a password manager or their browser’s built-in password storage feature.
This means that their login popup will already have their username and password fields filled in. Any person can just click on the login button to access their account while they are away.
You can make unauthorized access more difficult by adding two-step verification to the WordPress login screen.
This requires users to enter a unique one-time password generated by an app on their phone. For detailed instructions, see our guide on how to add two-factor authentication in WordPress.
Logging out inactive users and using two-factor authentication are two great ways to improve your WordPress security. Here are some additional ways to protect your login screen:
- How and Why You Should Limit Login Attempts in WordPress
- How to Add CAPTCHA in WordPress Login and Registration Form
- How to Add Security Questions to the WordPress Login Screen
- How to Add Passwordless Login in WordPress with Magic Links
- How to Disable Login Hints in WordPress Login Error Messages
- How To Add Social Login To WordPress (The Easy Way)
- How to Add a Custom Login URL in WordPress (Step by Step)
We hope this article helped you learn how to automatically log out idle users in WordPress. You may also want to see our ultimate WordPress security guide or our expert pick on the best drag-and-drop WordPress page builders.