Introduction to the Users Protection feature
The Users Protection feature offers real user sessions, finer control over user session time-out, and ensures users have logged-in in a correct manner.
It's accessible from within the main navigation menu > Security Zones > Users:
Users Protection is composed of the following components:
- User Session Management
- Password Policies
- User Registration
- Manual User Suspension
- Auto User Suspension
- Login Notifications
- User Sessions Management tool
How does WordPress user sessions work?
WordPress does not use PHP sessions and does not maintain information (states) from 1 page load to the next – it is completely stateless.
This means that WordPress only cares that each time you load a page, you can verify that you are authenticated with it.
How does it do that?
With Cookies. When you log into WordPress, it will set a number of cookies on your browser that are checked on each page load.
If you want to know who is logged-in, and from where, deeper user sessions management is the only way.
If you want to forcefully log-out certain users for whatever reason, with user session management you can do so without affecting other logged-in users. For example:
- You want to log-out idle users (after a certain length of time that you decide)
- You want to restrict a user session to an IP address (in this way you can’t just sniff cookies and apply them to your browser – unless you’re in the same location)
How do the WordPress Shield Security user sessions work?
When you start using User Session Management for the first time, you’ll be logged out of WordPress.
This is because you’ve activated the Shield Security’s user sessions management and it’ll immediately check whether you have an active session in the database.
If it can’t find it, it logs you out – you immediately experience the effects of the user sessions managements.
Once you’re logged-in, however, each time you access the site, it’ll lookup your sessions against the database – to track your session, it places a unique cookie with your session ID. This is matches against your WordPress username and determines the validity of your session.
You can also optionally lock sessions to IP addresses for extra session hardening.
How can you see who is actively logged in to your WordPress site?
Under the "Tools" of the plugin Security Dashboard > User Sessions section, you can view tables of logins, and currently active sessions.
It outlines:
- user name
- the IP address from which they’re accessing the site (which links to the IP Analysis dialog) and user agent
- if they are security admins or not
- their last activity time
- the time they logged into this session
You can filter, select to delete/discard user(s) session(s) directly from within the table.
Note: If you need to find out what your IP address is, please use this page here:
https://getshieldsecurity.com/my-ip/
For more information about user sessions - who's logged into your site, please read this blog article here.