Prevent users from sharing login credentials in WordPress

As any Information Governance expert will tell you, sharing usernames and passwords is bad! Fortunately we can boost your WordPress security with this tip.

Although nothing is as good as educating your users as to why they shouldn’t be sharing their usernames and passwords, in WordPress we can certainly make it difficult for them to do so.

Simply add this snippet to your functions.php file:

This snippet only allows one instance of a user credentials to be logged into to the site at once. So if your users are sharing their details, only one will be allowed in the system at a time (and the other people logging in with the same credentials will get kicked out).

Not only will this boost your sites security, but it should encourage your users to login with their own details (after a few times of being kicked out).

Posted by Matt Watson

Matt Watson is co-founder of the WordPress agency Make Do. Matt loves learning about personal, professional and web development. Learn more about Matt.

10 Replies to “Prevent users from sharing login credentials in WordPress”

  1. i am facing issues at line
    $sessions = WP_Session_Tokens::get_instance( get_current_user_id() );
    can anyone help????

    Reply

    1. Hi Albert,

      What error message are you getting?

      Reply

  2. Hi Matt,

    Thanks for offering this code. I’ve been using a plugin to do the same task, but recently stumbled upon this in an effort to ditch the plugin.

    However, this code doesn’t seem to work as of today. I logged in on 2 different devices, but the former did not get logged out; they both were able to navigate the site simultaneously.

    I suspected a caching issue, but I verified that all caching was halted while I tested your function.

    Has a recent WordPress update caused a need to modify this code at all?

    Thanks either way.

    Reply

    1. Hi Aaron,

      I haven’t checked it on the very latest version of WordPress, but now you’ve mentioned it I will, and I’ll get back to you.

      Reply

      1. Hi Aaron,

        I’ve checked, and the hook I was using was wrong. I’ve updated it now to use ‘init’ which does the trick.

        Reply

        1. …a little too well…

          Have a play around with a hook that works for you, and let me know what you find.

          Reply

  3. So, hypothetically, do you think you could put a list of User IDs into the system and do this on a per-user basis?

    Reply

    1. You could certainly use some conditional logic here to only run the logout code if the user ID is within an array of user ID’s sure.

      Reply

  4. Hello. How do you do this?

    Reply

    1. Just copy and past the code into functions.php within your theme.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.