Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Stop Users From Sharing Passwords in WordPress

By default a WordPress user can login to an account from multiple locations at the same time. This may compromise security of your multi-author WordPress site, and it can definitely hurt your profits if you run a membership site. In this article, we will show you how to stop users from sharing passwords in WordPress by blocking concurrent logins.

How WordPress Handles User Sessions?

Prevent Concurrent Logins

Before we move on, lets talk a bit about how WordPress handles user sessions. Like many other web applications, WordPress uses cookies to identify a logged in user. These cookies do not contain your password, just your username and a special key as a proof that you knew the password.

Now if you access your site from a public location and by habit checked “Remember Me” button, then anyone from that computer can login to your site because WordPress allows the same username to be logged in from two different locations.

This is a bit troublesome for security, but it can also be bad for business if you run a membership site selling premium content.

Users can simply share their password with their friends and use the same login information to consume your paid content.

Now wouldn’t it be nice if you could prevent users from staying logged into the same account from multiple places?

Recently when a user asked us this question, we looked around and found a plugin that prevents concurrent logins.

Prevent Concurrent Logins and Password Sharing in WordPress

Concurrent logins in WordPress

Video Tutorial

Subscribe to WPBeginner

If you don’t like the video or need more instructions, then continue reading.

First thing you need to do is install and activate the Prevent Concurrent Logins plugin. It works out of the box and there are no settings for you to configure.

You can test the plugin in action by signing in to your WordPress site from two different browsers on your computer or using the private / incognito mode.

When you try to login to your site with the same username and password on the second browser, you will be able to successfully login. However, the plugin will terminate the old session, and clicking on any link in the previous browser window will take you to the login page.

That’s all. We hope this article helped you learn how to stop users from sharing passwords in WordPress by blocking concurrent logins. You may also want to check out our guide on how to monitor user activity in WordPress with Simple History.

Also just a friendly reminder: Passwords can be hacked. If you wan to avoid this, then you need to use strong passwords on your WordPress site. You may also want to force strong passwords for all users on your WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Google+.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

7 CommentsLeave a Reply

  1. Syed Balkhi

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Dwayne

    I want to allow the sharing of user credentials, but i want to set how many sessions allowed. So i want to give access to resources, by creating an account 1 account and stating that only 20 active sessions are allowed. If sessions 21 comes in it is denied access. Is there anything that allows that?

  3. Mike

    This really doesn’t prevent someone from sharing their username and password with someone else. It only prevents them from being logged in at the same time.

  4. Toon van der Struijk

    I’ve tested the plugin ‘Prevent Concurrent Logins’ but am in doubt of really using it.
    The thing that bothers me the most, is that every New session is honored in favour of an Old (existing) session.
    This means that a user who is successfully logged-in gets locked out as soon as someone else is logging in with the same credentials. In my opinion this not very user friendly, and actually it should work the other way around.
    When a user (B) is trying to log in by using the same credentials from a user (A) who is already logged in, user B should get a warning that logging in with these credentials is not possible at the moment because someone else (user A) is using it.
    This keeps user A logged in

  5. WPBeginner Staff

    Yes that would be a good title too. The post idea came from a user worried that their premium users were sharing passwords with their friends. Which is a major concern for many site owners offering premium content, downloads, and membership sites. We were hoping this title would help them.

  6. Eric Mann

    I was a bit confused by this article when I started reading. By “stop users from sharing passwords,” I imagined you were explaining a way to prevent duplicate passwords in the database (which, by itself, would be a massive security vulnerability). I was confused again when you started talking about user sessions, but then everything clicked.

    Perhaps a better title would be “How to Stop Users from Sharing Login Sessions”? It’s a bit more on target with what the article is about.

  7. Daryl Griffiths

    Just what I needed for my intranet site, to run alongside the ‘idle logout’ plugin.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.