Security Web Development WordPress

Prevent users from sharing login credentials in WordPress

As any Information Governance expert will tell you, sharing usernames and passwords is bad! Fortunately we can boost your WordPress security with this tip.

Although nothing is as good as educating your users as to why they shouldn’t be sharing their usernames and passwords, in WordPress we can certainly make it difficult for them to do so. Simply add this snippet to your functions.php file:

<?php
/**
 * Login One User Instance
 *
 * Only allow one instance of a user to be logged in at any one time.
 * Other browser sessions will be logged out other than the latest user to 
 * sign in with that username.
 */
function matt_watson_example_login_one_user_instance() {
	global $sessions;
	$sessions = WP_Session_Tokens::get_instance( get_current_user_id() );
	$sessions->destroy_others( wp_get_session_token() );
}
add_action( 'setup_theme', 'matt_watson_example_login_one_user_instance', 0 );

This snippet only allows one instance of a user credentials to be logged into to the site at once. So if your users are sharing their details, only one will be allowed in the system at a time (and the other people logging in with the same credentials will get kicked out).

Not only will this boost your sites security, but it should encourage your users to login with their own details (after a few times of being kicked out).

Matt Watson loves to talk about Health, Wealth and Code (mainly WordPress). Get in touch with Matt or follow Matt on Twitter to get notified about his latest posts.

26 Comments

  1. alberttrotter Reply

    i am facing issues at line
    $sessions = WP_Session_Tokens::get_instance( get_current_user_id() );
    can anyone help????

  2. alberttrotter Reply

    i am facing issues at line
    $sessions = WP_Session_Tokens::get_instance( get_current_user_id() );
    can anyone help????

  3. Hi Matt,

    Thanks for offering this code. I’ve been using a plugin to do the same task, but recently stumbled upon this in an effort to ditch the plugin.

    However, this code doesn’t seem to work as of today. I logged in on 2 different devices, but the former did not get logged out; they both were able to navigate the site simultaneously.

    I suspected a caching issue, but I verified that all caching was halted while I tested your function.

    Has a recent WordPress update caused a need to modify this code at all?

    Thanks either way.

    • Hi Aaron,

      I haven’t checked it on the very latest version of WordPress, but now you’ve mentioned it I will, and I’ll get back to you.

      • Hi Aaron,

        I’ve checked, and the hook I was using was wrong. I’ve updated it now to use ‘init’ which does the trick.

        • Matt Watson Reply

          …a little too well…

          Have a play around with a hook that works for you, and let me know what you find.

  4. Hi Matt,

    Thanks for offering this code. I’ve been using a plugin to do the same task, but recently stumbled upon this in an effort to ditch the plugin.

    However, this code doesn’t seem to work as of today. I logged in on 2 different devices, but the former did not get logged out; they both were able to navigate the site simultaneously.

    I suspected a caching issue, but I verified that all caching was halted while I tested your function.

    Has a recent WordPress update caused a need to modify this code at all?

    Thanks either way.

    • Hi Aaron,

      I haven’t checked it on the very latest version of WordPress, but now you’ve mentioned it I will, and I’ll get back to you.

      • Hi Aaron,

        I’ve checked, and the hook I was using was wrong. I’ve updated it now to use ‘init’ which does the trick.

        • Matt Watson Reply

          …a little too well…

          Have a play around with a hook that works for you, and let me know what you find.

  5. So, hypothetically, do you think you could put a list of User IDs into the system and do this on a per-user basis?

    • You could certainly use some conditional logic here to only run the logout code if the user ID is within an array of user ID’s sure.

  6. So, hypothetically, do you think you could put a list of User IDs into the system and do this on a per-user basis?

    • You could certainly use some conditional logic here to only run the logout code if the user ID is within an array of user ID’s sure.

  7. Matt – this is what I need but I can’t access the snippet – there is no link on the page?

  8. Matt – this is what I need but I can’t access the snippet – there is no link on the page?

Write A Comment