Description
Loggedin caps the number of simultaneous WordPress sessions a user account is allowed to hold. When the cap is reached, you choose what happens next — log out the oldest device, log out every other device, or block the new login outright. It’s the lightweight, no-bloat way to stop account sharing on membership sites, LMS courses, paid communities, and any WordPress install where one paid account shouldn’t be open on five devices at once.
The plugin hooks straight into WordPress’s standard authentication pipeline and uses the native WP_Session_Tokens API, so it works on every host, with every theme, and alongside every login plugin you might already run. No cron jobs, no background polling, no third-party services.
How it works
A “session” in WordPress is the authenticated token created the moment a user logs in — one per browser, per device. Two browsers on the same laptop count as two sessions; a phone and a desktop count as two. Closing a tab does not end a session — the token lives server-side until the user explicitly signs out or another login displaces it.
Loggedin watches every login attempt:
- Counts the user’s current active sessions.
- Compares that count to the limit you’ve configured.
- Applies the rule you’ve picked — silently make room for the new login, or reject the new login with an error on wp-login.
There’s a one-click Force Logout panel in the admin to clear every session for a specific user when someone’s locked out by the cap and can’t reach their other devices. Identify the user by ID, email, or username — all three work.
Who it’s for
- Membership sites — MemberPress, Paid Memberships Pro, Restrict Content Pro, WooCommerce Memberships, etc. Stop one paid account from being shared across a household, a classroom, or a Discord server.
- Online courses & LMS — LearnDash, LifterLMS, TutorLMS, Sensei. Make sure the seat someone paid for is actually used by that someone.
- Subscription stores — WooCommerce Subscriptions, Easy Digital Downloads recurring. Keep subscriber counts honest.
- Corporate intranets & client portals — Enforce a one-device-at-a-time policy for staff or client accounts.
- BuddyPress / BuddyBoss communities — Reduce ban-evasion and duplicate-account abuse.
- Compliance-driven sites — Healthcare, finance, education installs where audit policy requires a per-account session cap.
Features
- Global concurrent-login limit — Pick any number from 1 upwards as the per-user cap.
- Three built-in modes — Logout Oldest (kick the user’s oldest device, keep the rest), Logout All (the new login becomes the only active session), or Block New (reject the login and show an error on wp-login).
- Admin Force Logout — Type a user ID, email, or username and clear every active session for that user in one click.
- Works with any session storage — Uses the standard
WP_Session_TokensAPI. Stock WordPress, Redis, Memcached — all supported (the Logout Oldest mode needs the default user-meta storage; the other modes work everywhere). - Customizable error message — Override the message shown when a login is blocked, via a single filter.
- Built for developers — Every decision passes through documented PHP hooks and filters. Override the cap per user / role / capability, exempt service accounts, audit force-logouts, or splice the plugin into your own auth pipeline. Full hook reference in the developer docs.
- Lightweight — No cron, no background polling, no remote calls. The whole plugin runs at the moment a login happens.
- Translation-ready — Loaded with the WordPress i18n APIs; contribute translations on WordPress.org.
📦 Add-ons
Extend Loggedin with these official add-ons:
- Active Sessions — See exactly who’s signed in right now, drill into each device per user, and sign out a single session — or every session — in one click.
- Limit Per User — Override the global session cap for an individual user account directly from their WordPress profile. Perfect for tiered access or trusted-staff exemptions.
- Limit Per Role — Set a different concurrent-session cap per WordPress role. Give administrators more headroom while keeping subscribers tight, or vice versa.
- Real-time Logout — Detect logouts in near-real-time. When Loggedin terminates a session, the user’s other open tabs reload to wp-login automatically — no waiting for the next page click.
📚 Documentation
- Getting started
- General settings
- Force Logout (Manage Sessions)
- Add-ons overview
- Developer docs — hooks, filters, REST
🐛 Bug reports
Found a bug? File it on the Loggedin GitHub repository.
GitHub is for bug reports and development-related issues only. For end-user support, please use the WordPress.org support forums.
Screenshots
Installation
- Install Loggedin from the WordPress.org plugin directory (Plugins → Add New → search “Loggedin”) or upload the ZIP under Plugins → Add New → Upload Plugin. Full instructions: how to install a plugin.
- Activate the plugin.
- Go to Users → Loggedin to configure the concurrent-login limit and pick the rule applied when the limit is reached.
That’s it. The default — limit of 1, Logout All mode — already prevents account sharing on a fresh install.
FAQ
-
Will this stop users from sharing their WordPress password?
-
It stops simultaneous sharing — two people can’t be signed in to the same account on different devices at the same time once the cap is set to
1. They can still take turns logging in if you don’t want to block the new login outright. Pick Block New mode to refuse the second login entirely and force the password-sharer to also log out the first device, which most people won’t do. -
Does this work with WooCommerce, MemberPress, LearnDash, BuddyPress, etc.?
-
Yes. Loggedin hooks into the standard WordPress authentication pipeline (
wp_authenticate_userandcheck_password), so any plugin that logs users in through the normal WordPress flow — which is essentially every membership, LMS, e-commerce, and community plugin — is covered automatically. No integration code required. -
Can I set different limits for administrators and subscribers?
-
Yes, with the official Limit Per Role add-on. It adds a per-role panel to the settings page where you can give each WordPress role its own cap (e.g. administrators: 5, editors: 3, subscribers: 1). Users with multiple roles get the highest configured limit.
-
Can I set a different limit for one specific user?
-
Yes, with the official Limit Per User add-on. It adds a field to the WordPress profile screen so you can override the global cap on a per-user basis — useful for shared editorial accounts, executive users, or anyone who legitimately needs more sessions than your default.
-
Will current users be logged out when I install or change the limit?
-
No. Loggedin only acts when a new login happens. Existing sessions stay active until they expire, the user logs out, or a future login displaces them under the rule you’ve configured.
-
Where can I find the settings for Loggedin?
-
In the WordPress admin, go to Users → Loggedin. You’ll see two tabs — Settings for the cap and login logic, and Add-ons for installing and licensing first-party extensions.
-
What are the available login logic options?
-
The plugin offers three built-in modes:
- Logout Oldest — When the limit is reached, the user’s single oldest active session is terminated to make room for the new login. Closest match to consumer “remember me” UX.
- Logout All — When the limit is reached, every other active session for the user is terminated and the new login becomes the only active session.
- Block New — When the limit is reached, the new login attempt is rejected with an error on wp-login.
Additional modes can be added via the
loggedin_logicsfilter. See the General Settings docs for details. -
How long does a login session last?
-
The duration of a WordPress login session is controlled by WordPress, not Loggedin.
- “Remember Me” checked at login → session lasts 14 days.
- “Remember Me” not checked → session lasts 2 days.
Customize the duration with the standard
auth_cookie_expirationfilter:function custom_auth_cookie_expiration( $expire ) { return MONTH_IN_SECONDS; // 30 days for every login. } add_filter( 'auth_cookie_expiration', 'custom_auth_cookie_expiration' ); -
What if a user has reached the limit but doesn’t know which devices are active?
-
Administrators can force-logout every session for the user from the dashboard:
- Go to Users → Loggedin in the WordPress admin.
- Scroll to the Force Logout panel at the bottom of the Settings tab.
- Enter the user’s ID, email address, or username and click Force Logout. All active sessions for that user are terminated immediately.
-
Does Loggedin work with Redis / Memcached / external session storage?
-
Yes for the Logout All and Block New modes — both go through the standard
WP_Session_TokensAPI, which respects whatever storage backend WordPress is configured to use. The Logout Oldest mode needs the default user-meta storage because the WP API doesn’t expose a “drop the oldest” primitive; pick Logout All instead if your sessions live elsewhere. -
Is Loggedin GDPR-compliant?
-
Loggedin stores no personal data itself. It only counts and manipulates WordPress session tokens that already exist in your database via the standard
WP_Session_TokensAPI. No external services are called, no telemetry is sent. -
Does Loggedin slow down logins?
-
No. The work Loggedin does on each login is one query for the user’s existing session tokens and an in-memory count — measured in microseconds. No HTTP calls, no cron jobs, no background polling.
-
Can I customize the error message shown when a login is blocked?
-
Yes, via the
loggedin_error_messagefilter:add_filter( 'loggedin_error_message', function ( $message ) { return 'Your account is already signed in elsewhere. Sign out from another device to continue.'; } );See the developer docs for every filter and action the plugin exposes.
Reviews
Contributors & Developers
“Loggedin – Limit Concurrent Sessions” is open source software. The following people have contributed to this plugin.
Contributors“Loggedin – Limit Concurrent Sessions” has been translated into 5 locales. Thank you to the translators for their contributions.
Translate “Loggedin – Limit Concurrent Sessions” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
3.0.1
- New:
loggedin.admin.tabsJS filter — addons can register their own React component as a tab in the Loggedin admin nav, with optionalbefore/afterpositioning hints. Powers the new Active Sessions addon. - New: Cross-sell banner on the Force Logout panel routed through
loggedin.settings.force_logout.cross_sellso addons can hide or replace it once installed. - Improve: Addon card layout aligned with the 404 to 301 plugin — primary CTA pinned to the left of the footer, “More details” link on the right, title-cased license button labels.
- Fix: The v2 → v3 settings migration never ran on existing installs, leaving legacy option keys in place after the upgrade.
3.0.0
- New: Modern React-powered admin under Users → Loggedin with two tabs — Settings (concurrent-login limit + login logic + Force Logout panel) and Add-ons (catalogue + license management).
- New: REST API at
/loggedin/v1/for settings, session management and add-on licensing. - New: Unified
loggedin_settingsoption registered withshow_in_rest, readable and writable by the React admin and by external integrations through the standard core-data flow. - New: Force Logout panel now accepts a user ID, email or username — the resolver detects the input shape automatically.
- New: Add-ons module powered by Freemius — official add-ons (Real-time Logout, Limit Per User, Limit Per Role) self-register via the new
loggedin_register_addonfilter and appear in the Add-ons tab. - New: JavaScript extension slot — add-ons can append their own React
PanelBodyto the Settings tab via theloggedin.settings.panelsfilter. - New: Documented PHP hook surface —
loggedin_init,loggedin_settings_defaults,loggedin_admin_script_vars,loggedin_addons_catalog,loggedin_destroy_oldest_sessionand more. - Improve: Reorganised plugin structure (PSR-4 namespaces under
DuckDev\Loggedin\) and aligned with WordPress Coding Standards. - Improve: Comprehensive sanitisation pass across every input and option write path.
- Improve: PHP 7.4 is now the minimum supported version.
2.0.4
- Improve: Review-notice scheduling now respects the dismiss state on every admin page load.
- Fix: Invalid nonce action prevented review notices from being dismissed.
2.0.3
- Improve: Removed leftover debug code that shipped accidentally in 2.0.2.
For the full release history, see the changelog.
Meta
- Version 3.0.1
- Last updated 2 days ago
- Active installations 8,000+
- WordPress version 6.0 or higher
- Tested up to 7.0
- PHP version 7.4 or higher
- Languages
- Tags
- Advanced View
