How to Force Logout Previous Device WordPress When User Logs in Again

Introduction : force logout previous device WordPress

If you’re running a WordPress membership or eLearning site, you might want to improve security by ensuring that a user can only be logged in from one device at a time. In other words, if user U1 logs in to Device D2 using their email abc@gmail.com, they should automatically be logged out from Device D1.

This feature is particularly useful for subscription-based websites, online courses, and digital products, where account sharing can lead to significant revenue loss. In this article, we’ll show you how to force logout previous device WordPress users whenever a new login occurs.

How to Send PHP Errors by Email with Full Backtrace and Input Data

force logout previous device WordPress

Why Force Logout is Important

When users share login credentials, it can:

• Violate your terms of service.

• Compromise user data.

• Lead to server resource overuse.

• Cause content piracy or misuse.

To prevent these issues, you can implement a force logout previous device WordPress solution using session tokens and Ajax-based session monitoring.

How This Works – force logout previous device WordPress

When a user logs in:

1. WordPress creates a session token specific to that device.

2. If the same user logs in from another device, a new token is generated.

3. You can programmatically destroy the old token, forcing the previous session to logout.

This ensures only the most recent session remains active.

Why Check WordPress User Sessions?

User sessions represent the login state of your visitors. If one account is being used on multiple devices, you may want to log out previous sessions or at least warn the user. It’s especially relevant for:

• eLearning platforms

• Membership websites

• WooCommerce stores

• Custom portals with user dashboards

The default WordPress behavior does not alert users when their session is invalidated or used elsewhere. But using AJAX, you can fix that easily.

Why Not REST API?

While the REST API is powerful, it has limitations when it comes to session-based access in subdirectory WordPress setups (e.g., example.com/subsite). Issues often arise due to cookie path misalignment or permission callbacks. By contrast, using admin-ajax.php ensures cookies are read correctly and access remains consistent.

Hence, it’s smarter to check WordPress user session with AJAX using native WordPress admin-ajax.

Final Code Implementation for force logout previous device WordPress

Below is a working solution using admin-ajax.php and JavaScript to periodically verify login status.

Step 1: Kill Old Session on Login

add_action('wp_login', function($user_login, $user) {
    if (class_exists('WP_Session_Tokens')) {
        $tokens = WP_Session_Tokens::get_instance($user->ID);
        $current_token = wp_get_session_token();
        $tokens->destroy_others($current_token); // Destroy all other sessions
    }
}, 10, 2);

This ensures that when a user logs in on a new device, all previous device sessions are terminated.

Step 2: Add Ajax Check for Session Validity

add_action('wp_ajax_check_user_session', 'check_user_session_ajax');
add_action('wp_ajax_nopriv_check_user_session', 'check_user_session_ajax');

function check_user_session_ajax() {
    if (is_user_logged_in()) {
        wp_send_json_success(['user_id' => get_current_user_id(), 'logged_in' => true]);
    } else {
        wp_send_json_error(['logged_in' => false], 401);
    }
    wp_die();
}

Step 3: Inject JavaScript in Footer

add_action('wp_footer', function() {
    if (is_user_logged_in()) : ?>
        <script>
        (function() {
            function checkSession() {
                fetch('<?php echo admin_url('admin-ajax.php?action=check_user_session'); ?>', {
                    credentials: 'same-origin'
                }).then(response => {
                    if (response.status === 401) {
                        alert('You have been logged out because your account was used on another device.');
                        window.location.href = '/';
                    }
                }).catch(error => console.error('Session check failed', error));
            }
            setInterval(checkSession, 15000); // 15-second interval
        })();
        </script>
    <?php endif;
});

This JavaScript checks every 15 seconds if the session is still valid. If not, it logs out the user from the current device.

Testing the Setup

To test the force logout previous device WordPress setup:

1. Log in from Device D1 with a user.

2. Now log in from Device D2 with the same credentials.

3. You should be automatically logged out from D1 within 15 seconds.

✅ Summary – force logout previous device WordPress

Conclusion

This method is a lightweight and effective way to force logout previous device WordPress users when a new login is detected. It improves security, reduces account sharing, and helps protect your revenue.

By leveraging WordPress’s built-in session management and admin-ajax.php, you can create a seamless and secure experience for your users without needing third-party plugins.

If you’re building a premium membership site or LMS, this feature is a must-have to ensure only authorized access per user at a time.