Idle users can pose a security risk. When an account sits for too long without interaction, it increases the chances of session hijacking. This is when a hacker can gain control of the account without actually using credentials to log in. This is one of the driving points why most banks and other institutions automatically log out idle users.
When you’re operating a WordPress website by yourself, you might not really put much thought into sitting idle. But even your own account can be exploited in such a fashion. Never assume that your website is too small to gain the attention of hackers and bots.
In this tutorial, I’m going to show you how to log out inactive users to improve your WordPress security. This is but one of many ways to keep your site safe.
Setting WordPress to Log Out Idle Users
Today, I’m featuring the Idle User Logout plugin. It’s a simple system that is easy to set up and use. Although this plugin hasn’t been updated in quite some time, I did verify it to work with WordPress 4.7.3.
Go to the “Plugins” area of WordPress and click the Add New button at the top.
Search for the plugin, “Idle User Logout.” You may see a variety of plugins that show up, but you want to look for this one by name.
Click to install and activate Idle User Logout. This will add a new settings feature to WordPress.
Click on the “Settings” link in the left admin panel.
Click on the “Idle User Logout” addition from the list of tools. Your list may be different than mine depending on what plugins you have installed. However, Idle User Logout will be there if you installed this plugin.
In the general settings, you can change how long it takes for an auto logout to happen. By default, this is set to 20 seconds. Depending on your users, this may be too soon for an automatic logout. For example, what if someone simply needed to use the restroom? I would suggest setting this to five minutes, or 300 seconds.
You can also choose to disable the idle settings for the WordPress administrator, ie. you. If you leave this box checked, the idle logout will not happen for anyone with an admin account role.
Click the “Save Changes” button to continue after making your adjustments.
Click the “Idle Behavior” tab along the top of the page.
From this screen, you can choose how the idle logout functions per user role. Here are the things you can change:
- User Role: Select which role you want to specifically set the behavior for.
- Behavior: Allows you to change what happens when the system detects the user as idle.
- Desination: If you have specific pages set up, you can have the user sent to it once he or she becomes idle.
- Duration: You can set specific roles to log out at different intervals. If you leave it blank, the duration in General Settings will be used.
Once you’ve made your selections, click “Save Changes.”
Now, WordPress will automatically log out idle users. You don’t have to alter behaviors for this plugin to work. If you don’t add a role, Idle User Logout will simply use the General Settings for everyone.
Other Idle Logout Plugins to Note
While this plugin is verified to work with WordPress 4.7, some users would prefer to use tools that are up-to-date and current. Below are a few plugins that may be beneficial if you’re looking for something that has been recently developed.
BulletProof Security
BulletProof Security is an extremely popular plugin as it does more than just log out idle users. It’s an entire protection package that increases login security, monitors user traffic and keeps logs of various activities. It’s an all-in-one system that works well for keeping the site safe.
Inactive Logout
Although Inactive Logout is relatively new compared to the other plugins I’ve featured in this post, it has a few nice features that may be worth considering. For example, this plugin will send a “Wake Up!” message instead of logging out an idle user. It also has a redirect ability much like the plugin I covered above.
Keep Your WordPress Safe
Setting the website to log out idle users is one of many ways to keep your WordPress hosted platform from being taken advantage of by hacker hijacking. Whether you operate the site solely by yourself or have an army of writers at your disposal, it only takes a few seconds for someone to gain control of an idle account. Improve WordPress security and keep your data protected and safe.
What kind of security plugins do you use on your site? What kind of features do you think would make Idle User Logout even better?
What about manually configure automatic logout? Do You have any suggestion?