How to limit the number of concurrent user sessions in WordPress
By default, WordPress has no limits applied to the number of concurrent sessions a user may create. This may pose a risk of compromising user security and personal data leakage.
The professional version of WP Cerber enables you to enhance user accounts’ security by configuring a limit to the number of concurrent user sessions a user may have open. You can configure the limits for each user role separately.
How to configure concurrent user session limits
- Go to the User Policies configuration page
- Select the role you want to configure the limits for
- Specify the desired number in the Number of allowed concurrent user sessions setting field
- Set the desired policy for When the limit on concurrent user sessions is reached
How to limit concurrent user sessions with two-factor authentication
- Go to the User Policies configuration page
- Select the role you want to configure the limits for
- For Two-factor authentication select “Advanced mode”
- Specify the desired number in the If the number of concurrent user sessions is greater setting field. This number must be smaller than the number specified in Number of allowed concurrent user sessions. The number of active user sessions is calculated including the new user session. So if you specify 1, the second one and all further attempts to log in will require a user to complete the 2FA verification process.
Read more on how to configure two-factor authentication for WordPress.
How to disable limiting
If you leave a configuration field empty or specify 0 (zero), the limiting feature is not active.
How to monitor user activity
Once you’ve configured the limits, you can monitor related events on the Activity log page. Depending on your settings, WP Cerber logs the following events.
- Attempt to log in denied (Limit on concurrent user sessions). This event means the user has reached the limit and any further attempts to log in are denied.
- User session terminated (Limit on concurrent user sessions). This event means the user has reached the limit and the oldest user’s session has been terminated by WP Cerber allowing the user to log into the website with a new session.
- Two-factor authentication enforced. This event means the number of concurrent user sessions has become greater than the limit, which initiates 2FA for new logins.
The bottom line
Limiting the number of concurrent user sessions brings the following advantages:
- Reducing the risk of personal data leakage through abandoned sessions
- Reducing the risk of compromising user accounts by reusing credentials across multiple computers
- Stops your users from sharing their WordPress usernames, passwords, and accounts.
At the same time, all the features described in this article have nothing to do with and do not replace the limit login attempts feature. Limiting the number of concurrent user sessions is an additional security measure enabling you to get a professional-grade defense of your WordPress.
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.
Spotted a bug or glitch?
We’d love to fix it! Share your bug discoveries with us here: Bug Report.