More than we admit, we leave the browser open and move to other tasks. But, unfortunately, our accounts sit idle at that time, prone to various security risks.
With WordPress, you can automatically log out idle users. The inactive users have to log in again to resume working.
Payment gateways, banking websites, and websites with sensitive data follow this rule. Log out the inactive accounts, and make them start from the beginning.
In this short article, I will show you how you can do the same on your WordPress website.
Why automatically log out idle users?
Idle WordPress users are a security risk.
If the account is logged in without any activity, the chances of session and cookie hijacking increase. At that point, hackers can run scripts to take over the account without actually using the login credentials.
Besides hackers, having an idle account could also mean the user is not present to interact with it. The person could take a break, get busy with other tasks, or be distracted by random activity.
Meanwhile, the account is sitting idle with no one looking at it. Strangers can take a peek and see what they are not supposed to find.
Basically, by logging out the idle WordPress users, you secure their accounts from any unethical use.
Hacked websites take resources and time during clean-up. It is better to keep them secure.
How to automatically Log Out?
To automatically log out idle users in WordPress, you have to download a small plugin.
Activate the plugin. Open the plugin setting from the Settings » Inactive Logout.
Let’s understand and configure the Inactive Logout plugin.
Inactive Logout Plugin Setting
Idle Timeout: Enter the time to allow the users to site idly without any logout. Select the minutes and pick the duration accordingly. Not too long or short. By default, 15 minutes is a-okay time.
However, if your business is dealing with sensitive information, then you should lower the duration.
Idle Message Content: Show a short and straightforward message to the users before the account automatically log off. It will show a little notice that they have been logged out of the account due to inactivity, and need to log in to resume.
Popup Background: A simple yet effective setting to protect the user’s information. Selecting this option will change the color of the browser screen. Hence, the content on the screen will not be visible to anyone trying to peek at the display.
Timeout Countdown Period: Before the log-off, the user will see a countdown. If in that period, the user chooses to do some activity, the log-out will be canceled.
By default, it is 10 seconds.
Disable Timeout Countdown: Turn off the countdown and directly log out the user after ‘x’ minutes of no activity.
Disable Login Popup: Do not show the login popup and only display the message that the user has been logged out due to idleness.
Show Warn Message Only: Instead of auto-logout the user, display the warning message. The message will cover the screen if the popup background is enabled.
Disable Concurrent Logins: Check this option to prevent concurrent logins. The user will not be able to use one account to log in from two different devices simultaneously. Instead, the user has to log out first from one device to log in from the second device.
This is something NetFlix and OTT use. They never let one account log in from various devices at the same time.
Enable Redirect: By default, the user will be redirected to the WordPress login screen after the timeout. However, you can choose to redirect the user to the page of your liking.
Review the changes and settings. Click on the ‘Save Settings’ button to save the changes.
Different timeout settings based on user roles
The Inactive Logout plugins allow you to set the timeout duration according to the WordPress user roles.
Go the the ‘Advance Management’ tab on the plugin’s Settings page. At first, you may not see all these settings. So you have to check the ‘Multi-Role Timeout’ option.
Then you need to select the user roles you want to set up a different timeout duration than global settings.
At the next step, you will choose the timeout in minutes, select a page to redirect the users, or completely disable the timeout setting for that user role.
After making and reviewing changes, click on the ‘Save Changes’ button to store the setting.
If you wish to see the plugin working, you have to do nothing. Log in to your account, and do nothing for the timeout duration (that you picked). You will see a box like this.
The users who click on the continue button can resume working without any break or log out.
If you don’t click on the Continue button, you will be automatically logged out and see the log-in screen. Or a modified log-in screen made by the plugin.
You have set up the automatic log-out feature for idle users in WordPress.