Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Automatically Log Out Idle Users in WordPress

Just like banks and sensitive apps, your WordPress website can benefit from an extra layer of security by automatically logging out inactive users.

In our experience, this is a simple yet effective way to prevent unauthorized access, especially if a user forgets to log out from a shared device.

This article provides a step-by-step guide to setting up automatic logouts for idle users. This makes sure they’ll be prompted to log back in and verify their identity after being inactive.

How to automatically logout inactive or idle users in WordPress

Why Automatically Log Out Idle Users in WordPress?

Idle users pose a security risk to your WordPress website. If someone on your team leaves their laptop unattended at a coffee shop or library, then a stranger may be able to see sensitive information, change their password, or even publish or delete some posts.

Inactive WordPress users also leave your website more vulnerable to hackers. They may be able to run scripts and take over the user’s account.

That’s why it’s a good security practice to automatically log out users who have become inactive and hide the content on their screen.

With that being said, let’s take a look at how to automatically log out idle users in WordPress using two different methods. You can use the quick links below to jump straight to the method you prefer:

The quickest way to automatically log out inactive users in WordPress is by using the WPCode plugin.

WPCode allows you to easily add custom code in WordPress without editing your theme’s functions.php file, so you don’t have to worry about breaking your site.

Plus, the plugin comes with a huge library of ready-made code snippets, including an auto-logout inactive users snippet, that you can add in a couple of clicks.

To get started, you need to install and activate the free WPCode plugin. If you need help, see our guide on how to install a WordPress plugin.

Upon activation, go to Code Snippets » + Add Snippet from your WordPress dashboard.

From there, search for the ‘Auto-logout inactive users’ snippet in the library. When you find it, hover over it, and click the ‘Use snippet’ button.

Select the Auto-logout inactive users snippet from the library

WPCode will then automatically add the code for you and select the proper insertion method.

WPCode automatically adds the code for you

After that, all you need to do is toggle the switch from ‘Inactive’ to ‘Active’ and click the ‘Update’ button.

Make the snippet active and click the Update button

That’s it. Now users will be automatically logged out of your WordPress website after 10 minutes of inactivity.

Method 2: How to Automatically Log Out Idle Users in WordPress Using a Plugin

For this method, the first thing you need to do is install and activate the Inactive Logout plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.

Upon activation, simply go to Settings » Inactive Logout page to configure the plugin.

Settings page for Inactive Logout plugin

First, you need to enter the idle time after which a user will be automatically logged out. You can enter the time in minutes and make sure it is not too short or too long.

After that, you can enter a message that you want to be displayed to inactive users.

Below the message field, you will find more plugin options to change the auto logout functionality. The default settings will work for most websites, but you can change them if you want.

Inactive users timeout settings

You can enable the ‘Popup Background’ option if you want to change the background color of the screen when a user session times out. This will cover the user’s browser screen to keep the contents hidden from prying eyes.

The ‘Disable Timeout Countdown’ option will remove the countdown warning and will directly log out idle users.

If you don’t want to use the automatic logout feature, then you can check the ‘Show Warn Message Only’ option. Now the warning message will be displayed, but the user will not be logged out.

The ‘Disable Concurrent Logins’ option will stop your users from using the same account from different devices or browsers at the same time.

By default, the plugin displays a login popup and does not redirect users. You can enable the ‘Enable Redirect’ option to redirect users to any page you want.

After you have reviewed and changed your settings, don’t forget to click on the ‘Save Changes’ button to store them.

Setting Up Different Timeout Settings Based on User Roles

If you want to set idle timeout rules based on user roles and capabilities, then you can do so under the ‘Advanced Management’ tab on the plugin’s settings page.

First, you need to select the user roles that you want to set up differently from the global settings. After that, you will be able to select a different timeout period and redirect or even disable timeout settings for that user role.

Multi-role idle user timeout settings

Once you are satisfied with the settings, make sure you click the ‘Save Changes’ button.

To see the plugin in action, you can log in to your WordPress site and do nothing for the timeout duration in the plugin’s settings. After that, you will see a countdown timer popup appear.

Timeout countdown

You can click the ‘Continue’ button to resume working without expiring the session.

Users who don’t click the ‘Continue’ button will be logged out and will see the login screen.

Login popup

Bonus: How to Add More Security with Two-Factor Authentication

Now, one problem with this approach is that many users save their passwords using a password manager or their browser’s built-in password storage feature.

This means that their login popup will already have their username and password fields filled in. Any person can just click on the login button to access their account while they are away.

Login fields already filled in

You can make unauthorized access more difficult by adding two-step verification to the WordPress login screen.

This requires users to enter a unique one-time password generated by an app on their phone. For detailed instructions, see our guide on how to add two-factor authentication in WordPress.

Expert Guides on Protecting WordPress Login

We hope this article helped you learn how to automatically log out idle users in WordPress. You may also want to see some additional ways to protect your login screen:

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

9 CommentsLeave a Reply

  1. Syed Balkhi

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Jiří Vaněk

    I used the snippet, and it works perfectly. I have a website where more people are now logging in thanks to MemberPress. I was a bit concerned about security and ensuring that users follow some security guidelines. This helped me at least set up a system to log out inactive users, which, for me, is the first step toward greater security. Perfect in my opinion.

  3. car

    What about manually configure automatic logout idle users? Do You have any recipe?

    • WPBeginner Support

      At the moment we do not have a recommended method without using a plugin

      Admin

  4. Gina Davis

    I’m looking at ‘Inactive Logout’ It was updated a week ago.

    I have a co-worker holding a post hostage. So going to use this to kick from the post & website. I hope.

  5. Jesse Brede

    Yeah, this is no longer a working solution.

  6. David

    Has anyone found plugin that will do the same thing, but that is actively updated? Reading the forum for WP Idle Logout, people are reporting it is buggy current versions of WP.

    Thanks.

  7. esp

    this plugin hasn’t been updated for a while and isn’t tested in WP 4.1 too bad

    • Yoshitoka

      True story. I had some trouble myself with this plugin. I had to login twice before I was able to get to the wp-admin part with this plugin enabled.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.