콘텐츠로 바로가기
WordPress.org

한국어

  • 테마
  • 플러그인
  • 소식
    • 문서
    • 포럼
  • About
    • WordPress 6.9
    • 워드프레스 6.8
    • 워드프레스와 40% 웹을 위한 여정
    • 워드프레스 번역 핸드북
  • 워드프레스 한국팀
  • 워드프레스 받기
워드프레스 받기
WordPress.org

Plugin Directory

Loggedin – Limit Concurrent Sessions

  • 플러그인 제출하기
  • 내 즐겨찾기
  • 로그인
  • 플러그인 제출하기
  • 내 즐겨찾기
  • 로그인

Loggedin – Limit Concurrent Sessions

작성자: Joel James
다운로드
실시간 미리보기
  • 세부사항
  • 평가
  • 설치
  • 개발
지원

설명

Loggedin caps the number of simultaneous WordPress sessions a user account is allowed to hold. When the cap is reached, you choose what happens next — log out the oldest device, log out every other device, or block the new login outright. It’s the lightweight, no-bloat way to stop account sharing on membership sites, LMS courses, paid communities, and any WordPress install where one paid account shouldn’t be open on five devices at once.

The plugin hooks straight into WordPress’s standard authentication pipeline and uses the native WP_Session_Tokens API, so it works on every host, with every theme, and alongside every login plugin you might already run. No cron jobs, no background polling, no third-party services.

How it works

A “session” in WordPress is the authenticated token created the moment a user logs in — one per browser, per device. Two browsers on the same laptop count as two sessions; a phone and a desktop count as two. Closing a tab does not end a session — the token lives server-side until the user explicitly signs out or another login displaces it.

Loggedin watches every login attempt:

  1. Counts the user’s current active sessions.
  2. Compares that count to the limit you’ve configured.
  3. Applies the rule you’ve picked — silently make room for the new login, or reject the new login with an error on wp-login.

There’s a one-click Force Logout panel in the admin to clear every session for a specific user when someone’s locked out by the cap and can’t reach their other devices. Identify the user by ID, email, or username — all three work.

Who it’s for

  • Membership sites — MemberPress, Paid Memberships Pro, Restrict Content Pro, WooCommerce Memberships, etc. Stop one paid account from being shared across a household, a classroom, or a Discord server.
  • Online courses & LMS — LearnDash, LifterLMS, TutorLMS, Sensei. Make sure the seat someone paid for is actually used by that someone.
  • Subscription stores — WooCommerce Subscriptions, Easy Digital Downloads recurring. Keep subscriber counts honest.
  • Corporate intranets & client portals — Enforce a one-device-at-a-time policy for staff or client accounts.
  • BuddyPress / BuddyBoss communities — Reduce ban-evasion and duplicate-account abuse.
  • Compliance-driven sites — Healthcare, finance, education installs where audit policy requires a per-account session cap.

Features

  • Global concurrent-login limit — Pick any number from 1 upwards as the per-user cap.
  • Three built-in modes — Logout Oldest (kick the user’s oldest device, keep the rest), Logout All (the new login becomes the only active session), or Block New (reject the login and show an error on wp-login).
  • Admin Force Logout — Type a user ID, email, or username and clear every active session for that user in one click.
  • Works with any session storage — Uses the standard WP_Session_Tokens API. Stock WordPress, Redis, Memcached — all supported (the Logout Oldest mode needs the default user-meta storage; the other modes work everywhere).
  • Customizable error message — Override the message shown when a login is blocked, via a single filter.
  • Built for developers — Every decision passes through documented PHP hooks and filters. Override the cap per user / role / capability, exempt service accounts, audit force-logouts, or splice the plugin into your own auth pipeline. Full hook reference in the developer docs.
  • Lightweight — No cron, no background polling, no remote calls. The whole plugin runs at the moment a login happens.
  • Translation-ready — Loaded with the WordPress i18n APIs; contribute translations on WordPress.org.

📦 Add-ons

Extend Loggedin with these official add-ons:

  • Active Sessions — See exactly who’s signed in right now, drill into each device per user, and sign out a single session — or every session — in one click.
  • Limit Per User — Override the global session cap for an individual user account directly from their WordPress profile. Perfect for tiered access or trusted-staff exemptions.
  • Limit Per Role — Set a different concurrent-session cap per WordPress role. Give administrators more headroom while keeping subscribers tight, or vice versa.
  • Real-time Logout — Detect logouts in near-real-time. When Loggedin terminates a session, the user’s other open tabs reload to wp-login automatically — no waiting for the next page click.

📚 Documentation

  • Getting started
  • General settings
  • Force Logout (Manage Sessions)
  • Add-ons overview
  • Developer docs — hooks, filters, REST

🐛 Bug reports

Found a bug? File it on the Loggedin GitHub repository.

GitHub is for bug reports and development-related issues only. For end-user support, please use the WordPress.org support forums.

스크린샷

General Settings — concurrent-login limit and login logic.
General Settings — concurrent-login limit and login logic.
Force Logout — admin Force Logout panel.
Force Logout — admin Force Logout panel.

설치

  1. Install Loggedin from the WordPress.org plugin directory (Plugins → Add New → search “Loggedin”) or upload the ZIP under Plugins → Add New → Upload Plugin. Full instructions: how to install a plugin.
  2. Activate the plugin.
  3. Go to Users → Loggedin to configure the concurrent-login limit and pick the rule applied when the limit is reached.

That’s it. The default — limit of 1, Logout All mode — already prevents account sharing on a fresh install.

FAQ

Will this stop users from sharing their WordPress password?

It stops simultaneous sharing — two people can’t be signed in to the same account on different devices at the same time once the cap is set to 1. They can still take turns logging in if you don’t want to block the new login outright. Pick Block New mode to refuse the second login entirely and force the password-sharer to also log out the first device, which most people won’t do.

Does this work with WooCommerce, MemberPress, LearnDash, BuddyPress, etc.?

Yes. Loggedin hooks into the standard WordPress authentication pipeline (wp_authenticate_user and check_password), so any plugin that logs users in through the normal WordPress flow — which is essentially every membership, LMS, e-commerce, and community plugin — is covered automatically. No integration code required.

Can I set different limits for administrators and subscribers?

Yes, with the official Limit Per Role add-on. It adds a per-role panel to the settings page where you can give each WordPress role its own cap (e.g. administrators: 5, editors: 3, subscribers: 1). Users with multiple roles get the highest configured limit.

Can I set a different limit for one specific user?

Yes, with the official Limit Per User add-on. It adds a field to the WordPress profile screen so you can override the global cap on a per-user basis — useful for shared editorial accounts, executive users, or anyone who legitimately needs more sessions than your default.

Will current users be logged out when I install or change the limit?

No. Loggedin only acts when a new login happens. Existing sessions stay active until they expire, the user logs out, or a future login displaces them under the rule you’ve configured.

Where can I find the settings for Loggedin?

In the WordPress admin, go to Users → Loggedin. You’ll see two tabs — Settings for the cap and login logic, and Add-ons for installing and licensing first-party extensions.

What are the available login logic options?

The plugin offers three built-in modes:

  • Logout Oldest — When the limit is reached, the user’s single oldest active session is terminated to make room for the new login. Closest match to consumer “remember me” UX.
  • Logout All — When the limit is reached, every other active session for the user is terminated and the new login becomes the only active session.
  • Block New — When the limit is reached, the new login attempt is rejected with an error on wp-login.

Additional modes can be added via the loggedin_logics filter. See the General Settings docs for details.

How long does a login session last?

The duration of a WordPress login session is controlled by WordPress, not Loggedin.

  • “Remember Me” checked at login → session lasts 14 days.
  • “Remember Me” not checked → session lasts 2 days.

Customize the duration with the standard auth_cookie_expiration filter:

function custom_auth_cookie_expiration( $expire ) {
    return MONTH_IN_SECONDS; // 30 days for every login.
}

add_filter( 'auth_cookie_expiration', 'custom_auth_cookie_expiration' );

What if a user has reached the limit but doesn’t know which devices are active?

Administrators can force-logout every session for the user from the dashboard:

  1. Go to Users → Loggedin in the WordPress admin.
  2. Scroll to the Force Logout panel at the bottom of the Settings tab.
  3. Enter the user’s ID, email address, or username and click Force Logout. All active sessions for that user are terminated immediately.

Does Loggedin work with Redis / Memcached / external session storage?

Yes for the Logout All and Block New modes — both go through the standard WP_Session_Tokens API, which respects whatever storage backend WordPress is configured to use. The Logout Oldest mode needs the default user-meta storage because the WP API doesn’t expose a “drop the oldest” primitive; pick Logout All instead if your sessions live elsewhere.

Is Loggedin GDPR-compliant?

Loggedin stores no personal data itself. It only counts and manipulates WordPress session tokens that already exist in your database via the standard WP_Session_Tokens API. No external services are called, no telemetry is sent.

Does Loggedin slow down logins?

No. The work Loggedin does on each login is one query for the user’s existing session tokens and an in-memory count — measured in microseconds. No HTTP calls, no cron jobs, no background polling.

Can I customize the error message shown when a login is blocked?

Yes, via the loggedin_error_message filter:

add_filter( 'loggedin_error_message', function ( $message ) {
    return 'Your account is already signed in elsewhere. Sign out from another device to continue.';
} );

See the developer docs for every filter and action the plugin exposes.

후기

Espectacular

promedios 2026년 2월 2일
Sencillamente práctico y funcional

A must have plugin

frazard99 2026년 1월 4일
Keep it up!

Love it, works like a charm

DL 2025년 9월 26일
Super cool plugin, lightweight, just works.

Works perfectly for me

zchas42 2025년 8월 4일
Sell eLearning courses, need to prevent login sharing – combined with 2 factor authentication this plugin does the job very nicely.

Excellent

emmauelbright 2025년 7월 12일
I like it

Great plugin

jacseq 2025년 6월 3일
In use by us since at least two years. Simple and works properly.
모든 110 평가 읽기

기여자 & 개발자

“Loggedin – Limit Concurrent Sessions”(은)는 오픈 소스 소프트웨어입니다. 다음의 사람들이 이 플러그인에 기여하였습니다.

기여자
  • Joel James
  • Duck Dev

“Loggedin – Limit Concurrent Sessions”(이)가 5 개 언어로 번역되었습니다. 기여해 주셔서 번역자님께 감사드립니다.

자국어로 “Loggedin – Limit Concurrent Sessions”(을)를 번역하세요.

개발에 관심이 있으십니까?

코드 탐색하기는, SVN 저장소를 확인하시거나, 개발 기록을 RSS로 구독하세요.

변경이력

3.0.2

  • New: Review-request notice restored, powered by the duckdev/wp-review-notice library and scoped to the Loggedin settings screen with a 7-day delay.
  • Improve: Legacy review-notice state migrated to the new storage keys so users who already dismissed the prompt stay dismissed.
  • Improve: Admin notices now render inside the plugin’s centered page column instead of above the header, matching the 404 to 301 shell.
  • Fix: Left-hand gap between the plugin header and the admin sidebar caused by WordPress’s default #wpcontent padding.

3.0.1

  • New: loggedin.admin.tabs JS filter — addons can register their own React component as a tab in the Loggedin admin nav, with optional before / after positioning hints. Powers the new Active Sessions addon.
  • New: Cross-sell banner on the Force Logout panel routed through loggedin.settings.force_logout.cross_sell so addons can hide or replace it once installed.
  • Improve: Addon card layout aligned with the 404 to 301 plugin — primary CTA pinned to the left of the footer, “More details” link on the right, title-cased license button labels.
  • Fix: The v2 → v3 settings migration never ran on existing installs, leaving legacy option keys in place after the upgrade.

3.0.0

  • New: Modern React-powered admin under Users → Loggedin with two tabs — Settings (concurrent-login limit + login logic + Force Logout panel) and Add-ons (catalogue + license management).
  • New: REST API at /loggedin/v1/ for settings, session management and add-on licensing.
  • New: Unified loggedin_settings option registered with show_in_rest, readable and writable by the React admin and by external integrations through the standard core-data flow.
  • New: Force Logout panel now accepts a user ID, email or username — the resolver detects the input shape automatically.
  • New: Add-ons module powered by Freemius — official add-ons (Real-time Logout, Limit Per User, Limit Per Role) self-register via the new loggedin_register_addon filter and appear in the Add-ons tab.
  • New: JavaScript extension slot — add-ons can append their own React PanelBody to the Settings tab via the loggedin.settings.panels filter.
  • New: Documented PHP hook surface — loggedin_init, loggedin_settings_defaults, loggedin_admin_script_vars, loggedin_addons_catalog, loggedin_destroy_oldest_session and more.
  • Improve: Reorganised plugin structure (PSR-4 namespaces under DuckDev\Loggedin\) and aligned with WordPress Coding Standards.
  • Improve: Comprehensive sanitisation pass across every input and option write path.
  • Improve: PHP 7.4 is now the minimum supported version.

2.0.4

  • Improve: Review-notice scheduling now respects the dismiss state on every admin page load.
  • Fix: Invalid nonce action prevented review notices from being dismissed.

2.0.3

  • Improve: Removed leftover debug code that shipped accidentally in 2.0.2.

For the full release history, see the changelog.

기초

  • 버전 3.0.2
  • 최근 업데이트: 6일 전
  • 활성화된 설치 8,000+
  • 워드프레스 버전 6.0 또는 그 이상
  • 다음까지 시험됨: 7.0
  • PHP 버전 7.4 또는 그 이상
  • 언어

    Chinese (Taiwan), English (US), German, Russian, Spanish (Mexico), 그리고 Swedish.

    자국어로 번역하기

  • 태그:
    concurrent loginforce logoutlogin limitprevent account sharinguser sessions
  • 고급 보기

평점

별 5점 만점에 4.9점.
  • 105/5-별점 후기 별 5개 105
  • 2/4-별점 후기 별 4개 2
  • 0/3-별점 후기 별 3개 0
  • 2/2-별점 후기 별 2개 2
  • 1/1-별점 후기 별 1개 1

Your review

모든 리뷰 보기

기여자

  • Joel James
  • Duck Dev

지원

지난 2개월 동안 해결된 문제:

1 중 0

지원 포럼 보기

기부

이 플러그인이 발전하도록 도우시겠습니까?

이 플러그인에 기부하기

  • 소개
  • 뉴스
  • 호스팅
  • 개인정보
  • 쇼케이스
  • 테마
  • 플러그인
  • 패턴
  • 배우기
  • 지원
  • 개발자 도구
  • WordPress.tv ↗
  • 참여하기
  • 이벤트
  • 기부하기 ↗
  • 미래를 위한 5가지
  • WordPress.com ↗
  • Matt ↗
  • bbPress ↗
  • BuddyPress ↗
WordPress.org
WordPress.org

한국어

  • X(이전 트위터) 계정 방문하기
  • 블루스카이 계정 방문하기
  • 마스토돈 계정 방문하기
  • 스레드 계정 방문하기
  • 페이스북 페이지 방문하기
  • 인스타그램 계정 방문하기
  • LinkedIn 계정 방문하기
  • 틱톡 계정 방문하기
  • 유튜브 채널 방문하기
  • 텀블러 계정 방문하기
코드는 詩다
The WordPress® trademark is the intellectual property of the WordPress Foundation.