Linux 软件免费装
Banner图

Loggedin - Limit Concurrent Sessions

开发者 joelcj91
duckdev
更新时间 2026年7月1日 15:59
捐献地址: 去捐款
PHP版本: 7.4 及以上
WordPress版本: 7.0
版权: GPLv2 or later
版权网址: 版权信息

标签

concurrent login login limit user sessions prevent account sharing force logout

下载

2.0.2 2.0.3 1.0.1 1.1.0 1.2.0 1.3.0 1.3.1 1.3.2 2.0.4 3.0.1 2.0 2.0.1 3.0.0 3.0.2

详情介绍:

Loggedin caps the number of simultaneous WordPress sessions a user account is allowed to hold. When the cap is reached, you choose what happens next — log out the oldest device, log out every other device, or block the new login outright. It's the lightweight, no-bloat way to stop account sharing on membership sites, LMS courses, paid communities, and any WordPress install where one paid account shouldn't be open on five devices at once. The plugin hooks straight into WordPress's standard authentication pipeline and uses the native WP_Session_Tokens API, so it works on every host, with every theme, and alongside every login plugin you might already run. No cron jobs, no background polling, no third-party services. How it works A "session" in WordPress is the authenticated token created the moment a user logs in — one per browser, per device. Two browsers on the same laptop count as two sessions; a phone and a desktop count as two. Closing a tab does not end a session — the token lives server-side until the user explicitly signs out or another login displaces it. Loggedin watches every login attempt:
  1. Counts the user's current active sessions.
  2. Compares that count to the limit you've configured.
  3. Applies the rule you've picked — silently make room for the new login, or reject the new login with an error on wp-login.
There's a one-click Force Logout panel in the admin to clear every session for a specific user when someone's locked out by the cap and can't reach their other devices. Identify the user by ID, email, or username — all three work. Who it's for Features 📦 Add-ons Extend Loggedin with these official add-ons: 📚 Documentation 🐛 Bug reports Found a bug? File it on the Loggedin GitHub repository. GitHub is for bug reports and development-related issues only. For end-user support, please use the WordPress.org support forums.

安装:

  1. Install Loggedin from the WordPress.org plugin directory (Plugins → Add New → search "Loggedin") or upload the ZIP under Plugins → Add New → Upload Plugin. Full instructions: how to install a plugin.
  2. Activate the plugin.
  3. Go to Users → Loggedin to configure the concurrent-login limit and pick the rule applied when the limit is reached.
That's it. The default — limit of 1, Logout All mode — already prevents account sharing on a fresh install.

屏幕截图:

  • **Force Logout** — admin Force Logout panel.

升级注意事项:

3.0.2 Brings back the wp.org review prompt (now scoped to the Loggedin settings screen), migrates any prior dismiss state so existing users are not re-prompted, and tightens the admin layout so notices sit inside the page column. 3.0.1 A maintenance release that fixes the v2→v3 settings migration and adds the JS extension points the new Active Sessions addon hooks into. 3.0.0 A major release with a brand-new React admin, REST API, add-ons catalogue with in-dashboard license management and a documented hook surface. Back up your database before updating.

常见问题:

Will this stop users from sharing their WordPress password?

It stops simultaneous sharing — two people can't be signed in to the same account on different devices at the same time once the cap is set to 1. They can still take turns logging in if you don't want to block the new login outright. Pick Block New mode to refuse the second login entirely and force the password-sharer to also log out the first device, which most people won't do.

Does this work with WooCommerce, MemberPress, LearnDash, BuddyPress, etc.?

Yes. Loggedin hooks into the standard WordPress authentication pipeline (wp_authenticate_user and check_password), so any plugin that logs users in through the normal WordPress flow — which is essentially every membership, LMS, e-commerce, and community plugin — is covered automatically. No integration code required.

Can I set different limits for administrators and subscribers?

Yes, with the official Limit Per Role add-on. It adds a per-role panel to the settings page where you can give each WordPress role its own cap (e.g. administrators: 5, editors: 3, subscribers: 1). Users with multiple roles get the highest configured limit.

Can I set a different limit for one specific user?

Yes, with the official Limit Per User add-on. It adds a field to the WordPress profile screen so you can override the global cap on a per-user basis — useful for shared editorial accounts, executive users, or anyone who legitimately needs more sessions than your default.

Will current users be logged out when I install or change the limit?

No. Loggedin only acts when a new login happens. Existing sessions stay active until they expire, the user logs out, or a future login displaces them under the rule you've configured.

Where can I find the settings for Loggedin?

In the WordPress admin, go to Users → Loggedin. You'll see two tabs — Settings for the cap and login logic, and Add-ons for installing and licensing first-party extensions.

What are the available login logic options?

The plugin offers three built-in modes:

  • Logout Oldest — When the limit is reached, the user's single oldest active session is terminated to make room for the new login. Closest match to consumer "remember me" UX.
  • Logout All — When the limit is reached, every other active session for the user is terminated and the new login becomes the only active session.
  • Block New — When the limit is reached, the new login attempt is rejected with an error on wp-login.
Additional modes can be added via the loggedin_logics filter. See the General Settings docs for details.

How long does a login session last?

The duration of a WordPress login session is controlled by WordPress, not Loggedin.

  • "Remember Me" checked at login → session lasts 14 days.
  • "Remember Me" not checked → session lasts 2 days.
Customize the duration with the standard auth_cookie_expiration filter: function custom_auth_cookie_expiration( $expire ) { return MONTH_IN_SECONDS; // 30 days for every login. } add_filter( 'auth_cookie_expiration', 'custom_auth_cookie_expiration' );

What if a user has reached the limit but doesn't know which devices are active?

Administrators can force-logout every session for the user from the dashboard:

  1. Go to Users → Loggedin in the WordPress admin.
  2. Scroll to the Force Logout panel at the bottom of the Settings tab.
  3. Enter the user's ID, email address, or username and click Force Logout. All active sessions for that user are terminated immediately.

Does Loggedin work with Redis / Memcached / external session storage?

Yes for the Logout All and Block New modes — both go through the standard WP_Session_Tokens API, which respects whatever storage backend WordPress is configured to use. The Logout Oldest mode needs the default user-meta storage because the WP API doesn't expose a "drop the oldest" primitive; pick Logout All instead if your sessions live elsewhere.

Is Loggedin GDPR-compliant?

Loggedin stores no personal data itself. It only counts and manipulates WordPress session tokens that already exist in your database via the standard WP_Session_Tokens API. No external services are called, no telemetry is sent.

Does Loggedin slow down logins?

No. The work Loggedin does on each login is one query for the user's existing session tokens and an in-memory count — measured in microseconds. No HTTP calls, no cron jobs, no background polling.

Can I customize the error message shown when a login is blocked?

Yes, via the loggedin_error_message filter: add_filter( 'loggedin_error_message', function ( $message ) { return 'Your account is already signed in elsewhere. Sign out from another device to continue.'; } ); See the developer docs for every filter and action the plugin exposes.

更新日志:

3.0.2 3.0.1 3.0.0 2.0.4 2.0.3