| 开发者 |
joelcj91
duckdev |
|---|---|
| 更新时间 | 2026年7月1日 15:59 |
| 捐献地址: | 去捐款 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
WP_Session_Tokens API, so it works on every host, with every theme, and alongside every login plugin you might already run. No cron jobs, no background polling, no third-party services.
How it works
A "session" in WordPress is the authenticated token created the moment a user logs in — one per browser, per device. Two browsers on the same laptop count as two sessions; a phone and a desktop count as two. Closing a tab does not end a session — the token lives server-side until the user explicitly signs out or another login displaces it.
Loggedin watches every login attempt:
WP_Session_Tokens API. Stock WordPress, Redis, Memcached — all supported (the Logout Oldest mode needs the default user-meta storage; the other modes work everywhere).1, Logout All mode — already prevents account sharing on a fresh install.It stops simultaneous sharing — two people can't be signed in to the same account on different devices at the same time once the cap is set to 1. They can still take turns logging in if you don't want to block the new login outright. Pick Block New mode to refuse the second login entirely and force the password-sharer to also log out the first device, which most people won't do.
Yes. Loggedin hooks into the standard WordPress authentication pipeline (wp_authenticate_user and check_password), so any plugin that logs users in through the normal WordPress flow — which is essentially every membership, LMS, e-commerce, and community plugin — is covered automatically. No integration code required.
Yes, with the official Limit Per Role add-on. It adds a per-role panel to the settings page where you can give each WordPress role its own cap (e.g. administrators: 5, editors: 3, subscribers: 1). Users with multiple roles get the highest configured limit.
Yes, with the official Limit Per User add-on. It adds a field to the WordPress profile screen so you can override the global cap on a per-user basis — useful for shared editorial accounts, executive users, or anyone who legitimately needs more sessions than your default.
No. Loggedin only acts when a new login happens. Existing sessions stay active until they expire, the user logs out, or a future login displaces them under the rule you've configured.
In the WordPress admin, go to Users → Loggedin. You'll see two tabs — Settings for the cap and login logic, and Add-ons for installing and licensing first-party extensions.
The plugin offers three built-in modes:
loggedin_logics filter. See the General Settings docs for details.
The duration of a WordPress login session is controlled by WordPress, not Loggedin.
auth_cookie_expiration filter:
function custom_auth_cookie_expiration( $expire ) {
return MONTH_IN_SECONDS; // 30 days for every login.
}
add_filter( 'auth_cookie_expiration', 'custom_auth_cookie_expiration' );
Administrators can force-logout every session for the user from the dashboard:
Yes for the Logout All and Block New modes — both go through the standard WP_Session_Tokens API, which respects whatever storage backend WordPress is configured to use. The Logout Oldest mode needs the default user-meta storage because the WP API doesn't expose a "drop the oldest" primitive; pick Logout All instead if your sessions live elsewhere.
Loggedin stores no personal data itself. It only counts and manipulates WordPress session tokens that already exist in your database via the standard WP_Session_Tokens API. No external services are called, no telemetry is sent.
No. The work Loggedin does on each login is one query for the user's existing session tokens and an in-memory count — measured in microseconds. No HTTP calls, no cron jobs, no background polling.
Yes, via the loggedin_error_message filter:
add_filter( 'loggedin_error_message', function ( $message ) {
return 'Your account is already signed in elsewhere. Sign out from another device to continue.';
} );
See the developer docs for every filter and action the plugin exposes.
duckdev/wp-review-notice library and scoped to the Loggedin settings screen with a 7-day delay.#wpcontent padding.loggedin.admin.tabs JS filter — addons can register their own React component as a tab in the Loggedin admin nav, with optional before / after positioning hints. Powers the new Active Sessions addon.loggedin.settings.force_logout.cross_sell so addons can hide or replace it once installed./loggedin/v1/ for settings, session management and add-on licensing.loggedin_settings option registered with show_in_rest, readable and writable by the React admin and by external integrations through the standard core-data flow.loggedin_register_addon filter and appear in the Add-ons tab.PanelBody to the Settings tab via the loggedin.settings.panels filter.loggedin_init, loggedin_settings_defaults, loggedin_admin_script_vars, loggedin_addons_catalog, loggedin_destroy_oldest_session and more.DuckDev\Loggedin\) and aligned with WordPress Coding Standards.