Shield Security plugin is composed of the several parts (modules). The User Management is one of its modules. This module offers real user sessions, finer control over user session time-out, and ensures users have logged-in in a correct manner.
It is accessible through Shield Security Dashboard:
This module is composed of the following parts (features):
- User Session Management
- User Registration
- Password Policies
- Manual User Suspension
- Auto User Suspension
- Login Notifications
Note: If you want to by-pass accounts management rules, please see here.
How do WordPress user sessions work?
WordPress does not use PHP sessions and does not maintain information (states) from 1 page load to the next – it is completely stateless.
This means that WordPress only cares that each time you load a page, you can verify that you are authenticated with it.
How does it do that?
With Cookies. When you log into WordPress, it will set a number of cookies on your browser that are checked on each page load.
If you want to know who is logged-in, and from where, deeper user sessions management is the only way.
If you want to forcefully log-out certain users for whatever reason, with user session management you can do so without affecting other logged-in users. For example:
- You want to log-out idle users (after a certain length of time that you decide)
- You want to restrict a user session to an IP address (in this way you can’t just sniff cookies and apply them to your browser – unless you’re in the same location)
How do the WordPress Shield Security user sessions work?
When you start using User Management module for the first time, you’ll be logged out of WordPress.
This is because you’ve activated the Shield Security’s user sessions management and it’ll immediately check whether you have an active session in the database.
If it can’t find it, it logs you out – you immediately experience the effects of the user sessions managements.
Once you’re logged-in, however, each time you access the site, it’ll lookup your sessions against the database – to track your session, it places a unique cookie with your session ID. This is matches against your WordPress username and determines the validity of your session.
You can also optionally lock sessions to IP addresses for extra session hardening.
How can you see who is actively logged in to your WordPress site?
On the ‘Users’ section of the plugin Security Dashboard, you can view tables of logins, and currently active sessions.
- user name
- the IP address from which they’re accessing the site (which links to an IP Whois)
- if they are security admins or not
- their last activity time
- the time they logged into this session
Note: To find out what your IP address is, please go here: https://getshieldsecurity.com/my-ip/