IF I ASKED YOU WHO IS LOGGED IN TO YOUR WORDPRESS RIGHT NOW, WOULD YOU KNOW?
Many WordPress websites and blogs have become complex multi-user content management system (CMS) with hundreds and sometimes even thousands of users. We have seen some WordPress multisite network installations with 1000+ websites running on them.
As a WordPress administrator, what are you doing to keep an eye on what is happening and who is logged in to your WordPress? Most probably you keep a WordPress audit trial, in which a record of everything that happened on your WordPress websites and blogs is kept. But even though a WordPress audit trail is a must-have, you need more than that.
You Need to Know Who is Logged in to Your WordPress Websites and Blogs
Starting with the basics; as a WordPress website administrator it is important to have complete control of it. If you do not have complete control of your website, and of what is happening on it how can you guarantee that it is secure and is not hacked? How can you guarantee that someone’s WordPress user has not been hijacked and is being used by an attacker to inject malware or damage your website?
I can give you a million reasons on why you need to know who is logged in to your WordPress. Though let’s simply skip to the two most important ones. When you who is logged in to your WordPress website you can:
- Terminate an existing session with just a click of a button,
- You can block multiple sessions for the same WordPress user.
The Need to Easily Terminate a WordPress User Session
Let’s assume a disgruntled employee is logged in and you need to terminate his session before potentially damaging your WordPress website. Or let’s assume your WordPress was hacked. It can happen to anyone. At best the only thing you can do to terminate all users’ sessions on your WordPress is to change the authentication unique keys and salts (WordPress security keys).
To do this you need to access the wp-config.php WodPress file directly. Unfortunately this is not always possible, or you have to go through someone else to access it. If you have access you need to connect via FTP or SSH, find the file, generate a new set of keys with the online tool and save the file.
Oops! Five or more minutes has already passed and it is too late, too much damage was done. That is why it is important to be able to terminate a WordPress user’s session with just a mouse click.
Find More Details about the WordPress Attack and the Attacker
When you are able to see who is logged in to your WordPress, in case of an attack you can also see from where the attacker is connecting and when he connected. You can also find out which of your WordPress users accounts have been hijacked.
Block Multiple Sessions for the Same WordPress User
In an ideal, secure and well controlled WordPress website environment each person should have his or her own WordPress user. This is vital even for when keeping a record of what is happening, or monitoring user productivity. Two people should never use the same WordPress username. If you want to learn more on WordPress users, roles and how to get it all organized I recommend you to read Use WordPress User Roles for Improved WordPress Security.
And once you have all your WordPress users organized as it should be, there is no need to allow multiple sessions for the same WordPress user. That means there cannot be two sessions at the same time with the same user on WordPress. By blocking multiple sessions for the same username you are keeping everything under control and most importantly of all, if an attacker guessed the password of a WordPress user the attacker cannot login while the user’s session is still on, thus thwarting the attack! Neat isn’t it?
How Can You See Who is Logged In to Your WordPress and Block Multiple Same User Sessions?
Now that you know all the whys, you should know about the how. You can use the WordPress Users Logins Management add-on for the WP Security Audit Log plugin to do all of the above. As seen in the below screenshot, with this add-on you can see:
- Who is logged in to your WordPress and WordPress multisite networks,
- The last change every logged in user did,
- From where the user is logged in,
- On which site is the user logged in (WordPress multisite),
- The time the session was created and when it will expire,
- Terminate a session with just a click of a button,
- Restrict the number of logged-in sessions a WordPress user can have,
- Be alerted via email when multiple user sessions are blocked or allowed.