By default a WordPress user can login to an account from multiple locations at the same time. This may compromise security of your multi-author WordPress site, and it can definitely hurt your profits if you run a membership site. In this article, we will show you how to stop users from sharing passwords in WordPress by blocking concurrent logins.
How WordPress Handles User Sessions?
Before we move on, lets talk a bit about how WordPress handles user sessions. Like many other web applications, WordPress uses cookies to identify a logged in user. These cookies do not contain your password, just your username and a special key as a proof that you knew the password.
Now if you access your site from a public location and by habit checked “Remember Me” button, then anyone from that computer can login to your site because WordPress allows the same username to be logged in from two different locations.
This is a bit troublesome for security, but it can also be bad for business if you run a membership site selling premium content.
Users can simply share their password with their friends and use the same login information to consume your paid content.
Now wouldn’t it be nice if you could prevent users from staying logged into the same account from multiple places?
Recently when a user asked us this question, we looked around and found a plugin that prevents concurrent logins.
Prevent Concurrent Logins and Password Sharing in WordPress
Video Tutorial
If you don’t like the video or need more instructions, then continue reading.
First thing you need to do is install and activate the Prevent Concurrent Logins plugin. It works out of the box and there are no settings for you to configure.
You can test the plugin in action by signing in to your WordPress site from two different browsers on your computer or using the private / incognito mode.
When you try to login to your site with the same username and password on the second browser, you will be able to successfully login. However, the plugin will terminate the old session, and clicking on any link in the previous browser window will take you to the login page.
That’s all. We hope this article helped you learn how to stop users from sharing passwords in WordPress by blocking concurrent logins. You may also want to check out our guide on how to monitor user activity in WordPress with Simple History.
Also just a friendly reminder: Passwords can be hacked. If you wan to avoid this, then you need to use strong passwords on your WordPress site. You may also want to force strong passwords for all users on your WordPress site.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Google+.
Dwayne
I want to allow the sharing of user credentials, but i want to set how many sessions allowed. So i want to give access to resources, by creating an account 1 account and stating that only 20 active sessions are allowed. If sessions 21 comes in it is denied access. Is there anything that allows that?
Mike
This really doesn’t prevent someone from sharing their username and password with someone else. It only prevents them from being logged in at the same time.
Toon van der Struijk
I’ve tested the plugin ‘Prevent Concurrent Logins’ but am in doubt of really using it.
The thing that bothers me the most, is that every New session is honored in favour of an Old (existing) session.
This means that a user who is successfully logged-in gets locked out as soon as someone else is logging in with the same credentials. In my opinion this not very user friendly, and actually it should work the other way around.
When a user (B) is trying to log in by using the same credentials from a user (A) who is already logged in, user B should get a warning that logging in with these credentials is not possible at the moment because someone else (user A) is using it.
This keeps user A logged in
WPBeginner Staff
Yes that would be a good title too. The post idea came from a user worried that their premium users were sharing passwords with their friends. Which is a major concern for many site owners offering premium content, downloads, and membership sites. We were hoping this title would help them.
Eric Mann
I was a bit confused by this article when I started reading. By “stop users from sharing passwords,” I imagined you were explaining a way to prevent duplicate passwords in the database (which, by itself, would be a massive security vulnerability). I was confused again when you started talking about user sessions, but then everything clicked.
Perhaps a better title would be “How to Stop Users from Sharing Login Sessions”? It’s a bit more on target with what the article is about.
Daryl Griffiths
Just what I needed for my intranet site, to run alongside the ‘idle logout’ plugin.