Custom Rule Recipe: Force Idle Timeout For WordPress Administrators

Shield Security already has the option to force-logout any user that has been idle for a certain length of time. This option allows you only to specify for how long the session has been idle, and no other parameters.

There is no way to customise the idle session feature to any other feature of the user account or session. For example, to reduce the risk that an admin session is compromised, you may want to provide a stricter idle timeout limit for administrator only.

This Custom Security Rules recipe will demonstrate exactly how you can do this.

Logout Idle Admins Rule Summary

As you can see in this video, we illustrate how to set up a custom security rule for implementing the Shield's Idle Timeout feature in WordPress. This rule will automatically log out admins if their login session remains inactive for a certain period of time.

Remember, when creating security rules, always be as specific as possible.

Setting Up Rule Steps

The first step is to navigate to "Create New Rule" page and then

1. Select conditions

   IF

   1. Is Valid Public IP Address; AND
   2. Is Logged In Normal; AND
   3. Is User Admin Normal; AND

   4. Shield Session Parameter Value Matches

      d1. Session Parameter: Idle Interval (seconds)

      d2. Match Type: Greater Than

      d3. Compare Parameter Value To: 3600 seconds

2. Select response

THEN

1. User Session Logout Current

The summarized rule is as follows

• IF a request comes from a valid public IP address; and
• the user is logged-in; and
• the user is an admin; and
• the session parameter for idle interval is greater than 1 hour; THEN
• logout the current user session.

3. Give a rule name: Logout Idle Admins
4. Give a rule description: Logout idle admins after 1hr
5. Check both confirmation checkboxes
6. Click to create the new rule

If we go to the Manage page, we can see that we have the rule there and automatically activated.

Rule Testing

The best thing you can do to test this is

1. Stay logged-in as an admin
2. Close your browser
3. Come back after 1hr
4. Try to re-access your existing session
5. You should be automatically logged out with a message:

Important: In case you lock yourself out of your own site because of your rules, please use a forceoff method outlined here and then disable that rule.

We also recommend you to read:

• What Is The Custom Rules Builder And How To Use it? (+Video)
• A collection of examples for building your own custom security rules (+Videos)
• A Complete Guide To The Shield's Custom Rules Builder