A billboard with the text "goodbye friends"

Security is a topic that should concern any website admin. From using the latest versions of the software we run on the server to forcing the use of more secure passwords or two-step authentication, the range of options that we can implement to strengthen our website is very wide. But there is a type of “risk” against which it is very difficult to protect oneself: the user.

It’s no use to spend a lot of money on a steel shelter door if you forget to close it when leaving. The same goes for the web: if our users (or ourselves, as publishers / admins of a blog) forget to close our session after working on our website, we risk that another user comes and sees what they’re not supposed to. Especially if we work on a shared computer.

In today’s post we will see how to implement the solution that you have surely seen on your bank’s website: automatically terminating a user’s session when they’ve been idle for some time.

Logout Inactive

As almost always in WordPress, the solution to our problem is found in a plugin: Inactive Logout. Here’s what we can see in the documentation:

Inactive Logout, plugin to automatically terminate idle user sessions, thus protecting the site if the users leave unattended sessions.

Once you have installed and activated the plugin, you simply have to go to Tools » Inactive Logout to configure it:

Inactive Logout Adjustments
Inactive Logout Adjustments.

The first step is to set the Idle Timeout in minutes. That is, how many minutes a session can remain unattended before the plugin should consider it’s an idle session and, therefore, should close it.

Next comes the message that will be displayed to the user when the plugin is about to terminate a session. In my opinion, the default message is fine… but you have the possibility to change it if you wish.

Finally, we have some additional settings:

Additional Inactive Logout Settings
Additional Inactive Logout settings.
  • Popup Background. It allows you to change the background color of the pop-up message that notifies the user their session is about to be terminated.
  • Disable Timeout Countdown. By default, when the timeout is over, the plugin doesn’t directly terminate the user’s session, but instead shows a small countdown that gives the user the possibility of preventing the logout. This option allows you to deactivate said countdown and terminate the session as soon as the plugin detects an idle session.
  • Show Warn Message Only. If you do not want the user’s session to be automatically terminated whatsoever, but simply to display a warning message, you can do so with this setting. In my opinion, it doesn’t make much sense to use it, because the idea of sharing this plugin is to help you actually terminate idle sessions but… it’s up to you!
  • Disable Concurrent Logins. This options lets you prevent the same account from being used from multiple computers at once.
  • Enable Redirect. By default, when the plugin terminates an idle session, a dialog with the login form shows up. As handy as this can be, it can also be a security risk, as the content the user was working on before the logout is still visible under the form. With this option, you can change this default behavior and send the user somewhere else after an automatic logout. I strongly recommend you enable this option ?
Session closed automatically by Inactive Logout
When Inactive Logout terminates a session, the previous screen is still visible. This might reveal sensitive information, so please make sure you redirect your users somewhere else after their sessions have been terminated.

Role Settings

One of the options that I like most about this plugin is that it allows you to configure when to terminate an idle session based on the user’s WordPress role. That is, we can, for example, indicate that the plugin should terminate admin sessions when they’ve been idle for just 5 minutes, while an author session can be idle for up to half an hour before being terminated.

To set different limits depending on the role, access the Role Based Timeout tab:

Inactive Logout profile settings
Role Based Timeout.

First enable Multi-Role Timeout to unlock the user interface you see in the previous screenshot. Then, add the roles for which you want custom settings in the following field (Enable Multi-User Feature). Finally, customize the specific options in each role with the table below. It’s that easy!

In Summary

Security is something you should always keep in mind. It is an iterative and incremental process: every step you take should be a small improvement to what you already had so far. Today we have seen how can you make your website more secure by installing a plugin that terminates idle sessions.

Would you like to share some more tips? Let us know in the comments section below!

Image by Jan Tinneberg on Unsplash.

Leave a Reply

Your email address will not be published. Required fields are marked *

I have read and agree to the Nelio Software Privacy Policy

Your personal data will be located on SiteGround and will be treated by Nelio Software with the sole purpose of publishing this comment here. The legitimation is carried out through your express consent. Contact us to access, rectify, limit, or delete your data.