Hey there! Have you ever needed to quickly log out every single user from your WordPress site? Maybe you suspect a hacker has gotten unauthorized access, or you want to ensure users reset their passwords.
Whatever the reason, having all active sessions ended instantly can be a crucial troubleshooting and security step. But WordPress doesn‘t have a big red "Log Out Everyone" button in the admin dashboard.
Don‘t worry though – with a quick modification to one of WordPress‘s core files, you can invalidate all logged-in user cookies and force everyone to re-authenticate.
In this guide, I‘ll walk you through the simple steps to force logout all users in WordPress. I‘ll also share some important tips to harden your site‘s security and password policies to help prevent unauthorized access in the first place. Let‘s dive in!
Understanding WordPress User Authentication
To understand how force logging out all users works, it‘s helpful to know a bit about how WordPress manages user authentication behind the scenes.
When someone successfully logs into WordPress, the system sets cookies in their browser. These contain an encrypted hash of the username and an "expiration" timestamp. On every subsequent page request, WordPress checks for those authentication cookies and verifies the hashed values match what‘s expected for that user.
As long as the cookies are valid and not expired, WordPress considers that browser session authenticated and grants access to the user‘s roles and permissions.
Normally, a login cookie remains valid until one of the following happens:
- The user explicitly logs out, which deletes the auth cookies
- The cookie‘s expiration time is reached (by default, 2 days or 14 days if "Remember Me" was checked)
- The user‘s password is changed, which invalidates any previous cookies
So to force log out all users, we need a way to make WordPress treat every user‘s auth cookies as invalid. Let‘s look at how to do that.
Steps to Force Logout All WordPress Users
Here‘s the quick and easy way to invalidate all active user sessions on your WordPress site:
- Back up your WordPress files, especially wp-config.php
- Connect to your WordPress file directory via FTP or hosting file manager
- Download a copy of wp-config.php and open it for editing
- Find the section defining your authentication keys and salts
- Generate new random keys and salts at https://api.wordpress.org/secret-key/1.1/salt/
- Replace the existing key definitions in wp-config.php with the newly generated ones
- Save your changes and re-upload wp-config.php to your server
By updating the authentication keys and salts in wp-config.php, you instantly make all existing login cookies invalid. Any browser that sends a request to WordPress will fail the cookie hash comparison check and be booted back to the login screen.
More Details on Editing wp-config.php
Since we‘re editing WordPress‘s core configuration file, it‘s important to be careful and make a backup copy first. wp-config.php is a critical file that contains your database login credentials and other key settings. A mistake here can take down your whole site.
When you open wp-config.php, you‘ll see the authentication keys defined like this:
define(‘AUTH_KEY‘, ‘Y0=Eku2jV-EXAMPLE`w$kU}‘);
define(‘SECURE_AUTH_KEY‘, ‘$v]JBm+EXAMPLE-eq660Kf‘);
define(‘LOGGED_IN_KEY‘, ‘LnFkEXAMPLERuc327vm+‘);
define(‘NONCE_KEY‘, ‘EXAMPLEB3K9EX>d2Ky#kG‘);
define(‘AUTH_SALT‘, ‘EXAMPLE9|KkM.Hpdvn"N0‘);
define(‘SECURE_AUTH_SALT‘, ‘EXAMPLE@+yXhxLk2T>!7_‘);
define(‘LOGGED_IN_SALT‘, ‘EXAMPLEc>Yj)wT<]+9|5`‘);
define(‘NONCE_SALT‘, ‘EXAMPLEl5=Dw}I-3-~zGa‘);The actual values will be random strings generated when WordPress was first installed. You‘ll want to use the WordPress.org salt generator to create brand new keys:
define(‘AUTH_KEY‘, ‘zEXAMPLE{rO2uPC-BjqKZ‘);
define(‘SECURE_AUTH_KEY‘, ‘OEXAMPLE|ZwNUg@`C80GH‘);
define(‘LOGGED_IN_KEY‘, ‘EXAMPLE06Pi+ZG41_3G_l‘);
define(‘NONCE_KEY‘, ‘;EXAMPLE#|sWylPPa`)nL‘);
define(‘AUTH_SALT‘, ‘EXAMPLEt(2MP8+Q@aw$sj‘);
define(‘SECURE_AUTH_SALT‘, ‘(EXAMPLE{Zs/UCqHnF9eQ‘);
define(‘LOGGED_IN_SALT‘, ‘EXAMPLE/+:{Br?CMs+`~_‘);
define(‘NONCE_SALT‘, ‘EXAMPLEwp>d6My[A-D)+@‘);Copy and paste this full block of new definitions into wp-config.php, completely replacing the previous ones. Be sure to maintain the same formatting, with each line beginning with define( and the values wrapped in single quotes.
Once you‘ve saved your changes and uploaded the file back to your server, all existing user sessions will be forcibly ended. You can test it by opening your site in an incognito browser window. If you were previously logged in there, you should now be redirected back to the login form.
The Importance of Strong WordPress Passwords
Needing to force log out all users is often a sign of a hacked site or compromised accounts. Outdated, weak, or reused passwords are one of the most common vulnerabilities that attackers exploit to gain unauthorized access.
Consider these sobering statistics:
- WordPress sites are the target of 90,978 attacks per minute (per WordPress)
- The median time for a brute force attack to guess a 12-character password is 62 years (per Hive Systems)
- 81% of data breaches are due to weak or reused passwords (per TraceSecurity)
- The top 5 most common passwords are: 123456, 123456789, qwerty, password, 12345 (per NordPass)
If you suspect a breach, it‘s crucial to have all users reset their passwords to something strong and unique. Even if you‘re not forcing logouts due to an attack, it‘s wise to regularly prompt users to change and upgrade their passwords.
Some best practices for WordPress password policies include:
- Require a minimum length of 12-14 characters
- Enforce a mix of uppercase, lowercase, numbers, and symbols
- Check against lists of commonly used or compromised passwords
- Enable two-factor authentication for an extra layer of verification
- Automatically expire passwords every 60-90 days
There are several good WordPress plugins available to help implement and enforce these password security rules, such as:
- Force Strong Passwords
- Wordfence Login Security
- iThemes Security
- Jetpack
- WP Cerber Security
You can also use web.config or .htaccess rules on your server to set password strength requirements.
More Tips to Harden WordPress Security
Strong passwords are a great start, but there are a number of other security best practices that can help harden your WordPress site against unauthorized access:
- Keep your WordPress core, plugins, and themes updated to patch known vulnerabilities
- Delete unused plugins and themes to reduce your attack surface
- Use the least privileged user roles and limit admin accounts
- Enable SSL and enforce HTTPS to encrypt data in transit
- Implement a web application firewall (WAF) to block malicious traffic
- Disable XML-RPC and restrict REST API access if not needed
- Enable automatic malware scans and file change detection
- Limit failed login attempts to prevent brute force attacks
- Disable the theme and plugin file editor
- Regularly test your backups and have a disaster recovery plan
Many of these can be implemented with the help of a security plugin or service, such as:
- Sucuri Security
- Wordfence
- iThemes Security Pro
- Malcare
- Jetpack Security
By taking a multi-layered approach to securing your site, you can greatly reduce the risk of a compromise while minimizing the disruption to your users if you do need to force log out sessions.
I know dealing with potential hacks or unauthorized access can be stressful, but you‘ve got this! With the steps and recommendations outlined above, you have the tools to respond quickly and proactively protect your WordPress site.
If you have any other questions about WordPress security or troubleshooting, feel free to ask. I‘m here to help! Now go forth and keep those user sessions and passwords locked down tight.
){kind=link}