Security Blog
Security Blog
Posted By Gregory

Как ограничить количество одновременных сессий пользователей в WordPress


By default, WordPress has no limits applied to the number of concurrent sessions a user may create. This may pose a risk of compromising user security and personal data leakage.

The professional version of WP Cerber enables you to enhance user accounts’ security by configuring a limit to the number of concurrent user sessions a user may have open. You can configure the limits for each user role separately.

How to configure concurrent user session limits

  1. Go to the User Policies configuration page
  2. Select the role you want to configure the limits for
  3. Specify the desired number in the Number of allowed concurrent user sessions setting field
  4. Set the desired policy for When the limit on concurrent user sessions is reached
Limiting the number of concurrent user sessions in WordPress

Configuring the limits to the number of concurrent user sessions in WordPress

How to limit concurrent user sessions with two-factor authentication

  1. Go to the User Policies configuration page
  2. Select the role you want to configure the limits for
  3. For Two-factor authentication select “Advanced mode”
  4. Specify the desired number in the If the number of concurrent user sessions is greater setting field. This number must be smaller than the number specified in Number of allowed concurrent user sessions. The number of active user sessions is calculated including the new user session. So if you specify 1, the second one and all further attempts to log in will require a user to complete the 2FA verification process.
Limiting the number of concurrent user sessions in WordPress with 2FA

Configuring the limits to the number of concurrent user sessions in WordPress with two-factor authentication

Read more on how to configure two-factor authentication for WordPress.

How to disable limiting

If you leave a configuration field empty or specify 0 (zero), the limiting feature is not active.

How to monitor user activity

Once you’ve configured the limits, you can monitor related events on the Activity log page. Depending on your settings, WP Cerber logs the following events.

  • Attempt to log in denied (Limit on concurrent user sessions). This event means the user has reached the limit and any further attempts to log in are denied.
  • User session terminated (Limit on concurrent user sessions). This event means the user has reached the limit and the oldest user’s session has been terminated by WP Cerber allowing the user to log into the website with a new session.
  • Two-factor authentication enforced. This event means the number of concurrent user sessions has become greater than the limit, which initiates 2FA for new logins.

The bottom line

Limiting the number of concurrent user sessions brings the following  advantages:

  • Reducing the risk of personal data leakage through abandoned sessions
  • Reducing the risk of compromising user accounts by reusing credentials across multiple computers
  • Stops your users from sharing their WordPress usernames, passwords, and accounts.

At the same time, all the features described in this article have nothing to do with and do not replace the limit login attempts feature. Limiting the number of concurrent user sessions is an additional security measure enabling you to get a professional-grade defense of your WordPress.

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered here: G2.COM/WPCerber.


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments
There are currently no comments.