June 22 2022

Automatically log out inactive users in WordPress

Let's see how to log out inactive users in WordPress via a simple Inactive Logout plugin

More than we admit, we leave the browser open and move on to other activities. But, unfortunately, our accounts remain inactive in that time, subject to various security risks.

With WordPress, you can automatically log out inactive users. Inactive users must log in again to resume work.

Payment gateways, banking websites, and sensitive data websites follow this rule. Log out of inactive accounts and restart them from the beginning.

In this short article, I'll show you how you can do the same on your WordPress website.

Why log out automatically from inactive users?

Inactive WordPress users pose a security risk.

If the account is logged in without any activity, the chances of session and cookie hijacking increase. At that point, hackers can run scripts to detect the account without actually using the login credentials.

In addition to hackers, having an inactive account could also mean that the user is not there to interact with it. The person may take a break, get busy with other activities, or be distracted by random activities.

Meanwhile, the account is inactive without anyone looking at it. Strangers can take a look and see what they shouldn't find.

Basically, by logging out of inactive WordPress users, you protect their accounts from any unethical use.

The hacked website takes resources and time while cleaning. It's best to keep them safe.

How to log out automatically?

To automatically log out inactive users in WordPress, you need to download a small plugin.

Activate the plugin. Open the plugin setup from Settings »Inactive Logout .

Disabled Logout

We understand and configure the Inactive Logout plugin

Setting up the Inactive Logout plug-in

Now let's see how to set the fields of Inactive Logout, a WordPress plugin that is however very essential as it is trivial that with a few settings will allow you to configure in a few minutes a feature that can certainly be very useful.

Disabled Logout

Idle Timeout: enter the time to allow users to remain inactive without logging out. Select the minutes and choose the duration accordingly. Not too long or short. By default, 15 minutes is fine.

However, if your business is dealing with sensitive information, you should reduce the duration.

Idle message content: shows a short and direct message to users before the account logs out automatically. It will show a small warning that they have been logged out of their account due to inactivity and need to log in to resume.

Popup Background: a simple but effective setting to protect user information. Selecting this option will change the color of the browser screen. Therefore, the content on the screen will not be visible to anyone who tries to peek at the display.

Timeout CountDown Period: before logging out, the user will see a countdown. If in that period the user chooses to carry out any activity, the logout will be canceled.

By default, it is 10 seconds.

Disable Timeout CountDown Period: deactivate the countdown and log off the user directly after “x” minutes of inactivity.

Disable Login Popup: it does not show the login popup and only shows the message that the user has been logged out due to inactivity.

Show Warn Message Only: instead of automatically logging the user out, it displays the warning message. The message will cover the screen if the popup background is enabled.

Disable concurrent logins: select this option to prevent simultaneous logins. The user will not be able to use an account to log in from two different devices at the same time. Instead, the user must first log out of one device to log in from the second device.

This is something that NetFlix and OTT use. They never allowed an account to log in from multiple devices at the same time.

Enable redirects: By default, the user will be redirected to the WordPress login screen after the timeout. However, you can choose to redirect the user to the page of your liking.

Review your changes and settings. Click the "Save Settings" button to save the changes.

Different timeout settings based on user roles

Idle Logout plugins allow you to set the timeout duration based on your WordPress user roles.

Go to the “Advanced Management” tab on the Plug-in Settings page. At first, you may not see all of these settings. Then you need to check the “Multi-role timeout” option.

Then you need to select the user roles for which you want to set a different timeout duration than the global settings.

In the next step, you will choose the timeout in minutes, select a page to redirect users or completely disable the timeout setting for that user role.

After making and checking the changes, click on the “Save Changes” button to save the setting.

If you want to see the plugin working, you don't need to do anything. Log into your account and do nothing for the duration of the timeout (which you have chosen).

You will see a box like this.

Users who click on the continue button can resume work without any interruption or log out.

If you don't click the Continue button, you will be automatically logged out and see the login screen. Or a modified login screen created by the plug-in.

That's all.

You have set up automatic logout for inactive users in WordPress.


Automatically log out of inactive users in WordPress is another step towards WordPress security. But without more security touchpoints, it won't do much to protect the website.

You should always use a strong password and limit failed login attempts. Also, add the security question to the WordPress page and change the login URL.

If you are looking for a powerful WordPress hosting that also takes care of security, Managed Server is for you.

In this article, I've shown you how to automatically log out inactive users. If you have any concerns or questions, please leave them in the comments section.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.


Would you like to see how your WooCommerce runs on our systems without having to migrate anything? 

Enter the address of your WooCommerce site and you will get a navigable demonstration, without having to do absolutely anything and completely free.

No thanks, my customers prefer the slow site.
Back to top