June 26, 2014 by Paul G. | Migrated, Shield Security

User Sessions – Who’s Logged Into My WordPress?

Shield Image

Ever wondered who’s currently logged in to your WordPress site?

If you’re the admin of a WordPress site, then this question has definitely crossed your mind at least once (a day)!

By default, WordPress offers absolutely no way to know this.

The Shield Security let’s you see this and more.

Read on to discover how you can finally get a view on your WordPress users.

How do WordPress user sessions work?

WordPress does not use PHP sessions and does not maintain information (states) from 1 page load to the next – it is completely stateless.

This means that WordPress only cares that each time you load a page, you can verify that you are authenticated with it.

How does it do that?

With Cookies.  When you log into WordPress, it will set a number of cookies on your browser that are checked on each page load.

What’s the advantage of having no WordPress user sessions?

Simplicity, and compatibility with more web hosting environments.

If your users can set cookies, then effectively you can manage WordPress user authentication.

What’s the disadvantage of having no user sessions in WordPress?

There’s a few.  The primary being that since WordPress is stateless, it never knows anything about what has come before.

In this way there is no way to know, by default, who is logged-in, and who is actively using the site right now.

Furthermore, if I can “sniff” your WordPress cookies I can put them on my machine and I’ll be authenticated with your site too.  By default WordPress cannot offset these risks.

Why would you want better control over WordPress User Sessions?

If you want to know who is logged-in, and from where, deeper user sessions management is the only way.

If you want to forcefully log-out certain users for whatever reason, with user session management you can do so without affecting other logged-in users.  For example:

  • You want to log-out idle users (after a certain length of time that you decide)
  • You want to restrict a user session to an IP address (in this way you can’t just sniff cookies and apply them to your browser – unless you’re in the same location)

Let’s say you’re an administrator of a site, and you see that somehow, some way, someone else is logged into the site under your administrator username in another location – you can immediately take action against this.  Without being able to see currently active sessions, you are blind.

User sessions simply give you a view on to who is on your site and where they are.  Until now, this is not possible with WordPress.

How do the Shield Security user sessions work?

The Shield Security creates simple WordPress user sessions.

It does not replace the WordPress user authentication system, but rather augments it.  In this way, we remain 100% compatible with past, current, and future WordPress releases.

When you enable the User Management feature for the first time, you’ll be logged out of WordPress.

This is because you’ve activated the Shield’s user sessions management and it’ll immediately check whether you have an active session in the database.

If it can’t find it, it logs you out – you immediately experience the effects of the user sessions managements.

Once you’re logged-in, however, each time you access the site, it’ll lookup your sessions against the database – to track your session, it places a unique cookie with your session ID. This is matches against your WordPress username and determines the validity of your session.

You can also optionally lock sessions to IP addresses, browser or hostname for extra session hardening.

How can I see who is actively logged in to my WordPress site?

On the ‘Users’ section of the plugin, you can view currently active sessions.

It outlines:

  • the time they logged into this session
  • their last activity time
  • the username and the IP address from which they’re accessing the site (which links to an IP Management and Analysis section where you can see all the details for that particular IP)
  • if the user is Security Admin or not

If you want to forcefully logout particular user’s session(s), just select them in the table and then click “Delete Selected” button.

There is a filter in the user sessions table you can use to filter by usernames including search for username.

Review and Manage Current WordPress User Sessions
Review and Manage Current WordPress User Sessions

What do you want to see?

If there is a feature that you’d like to see added to user session management, please let us know in the comments below, or contact us directly in our support centre.

We’ve built the Shield Security plugin for WordPress for you… and we’d love to hear what you think, what works, and what doesn’t.

So please tell us! 🙂

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials
@siga75's Gravatar @siga75

best security plugin for WP

I tried several ones, this is the only one that it’s really a WAF, and easy to configure I have a real reverse proxy/WAF based on nginx/naxsi and another WAF (modsecurity with OWASP conf and on paranoia level 3) embedded on apache. I also have an IPS, based on Suricata,…

@ioksotot's Gravatar @ioksotot

Great security product

Moved from Wordfence to Shield and glad I did. Much more simpler to use and keeps my site safe.

@bkrotin's Gravatar @bkrotin

Essential!

This product is the natural extension of the original WP Firewall, and it is absolutely essential for anyone with a WordPress site out there in the wild. In addition to an excellent suite of tools that supplement other popular security plugins, Simple Firewall also features advanced login protections, which literally…

@bananajones's Gravatar @bananajones

Works flawless

Many configurable options and @ a price that is fair, keep up the good work!

Comments (3)

    I am impressed by the features mentioned in this article. I am going to give it a try.

    Very nice and thank you very much for this service you have created.

    “You can also optionally lock sessions to IP addresses for extra session hardening.”

    What if all users login from the same internal/local ip or subnet say 192.26.02.0/24 ?

    Thank you

    Will Dangerfield

    Does this work behind cloudflare?

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese