Custom Rule Recipe: Automatically Rotate WordPress Admin Session Tokens

Shield Security doesn't provide an option to automatically rotate user session tokens, so currently the only way to achieve this is to use a Custom Security Rule.

What Does It Mean To Rotate Session Tokens?

A session token is a unique hash used to identify a WordPress user session. A user/browser with a given session token (a cookie) uses this to "tell" WordPress who they are and that they have already logged-in to a WordPress site.

With this valid session token, WordPress will grant the visitor with all the privileges of that given user.

Each time a user logs in, a brand new session token is generated and assigned to that login session.

When you rotate a session token, you are assigning a brand new session token to an already-logged-in WordPress user, but the key here is that the user doesn't have to goes through the entire login process again. Their session appears to continue as-normal, but they have a brand new session token.

Why Would You Want To Rotate A WordPress Session Token?

This session token can be copied and transferred to any other browser and then used to access the same WordPress site from another location.

If this is done nefariously, this is known as session theft/hijacking.

One way to steal a session cookie is when you're not using HTTPS to communicate with the site - an attacker can "read" the requests you send to the site in plain text and steal the cookie. Another way to steal the session cookie is when your local computer is infected with malware that steals this cookie.

To help mitigate this risk, you might want to automatically rotate a session cookie to reduce the chances that a stolen session cookie can be used by anyone else. If the token has been rotated (i.e. a new token created and the old token destroyed), then a hacker cannot use the older, stolen cookie.

Auto Rotate Admin Session Cookies Rule Summary

As you can see in this video, we demonstrate how you can rotate user session using Shield's Custom Rules Builder.

When we create the rules, we want the conditions to narrow down and be as specific as possible.

Setting Up Rule Steps

The first step is to navigate to "Create New Rule" page and then

  1. Select specific conditions


    1. Is Valid Public IP Address; AND
    2. Is Logged In Normal; AND
    3. Is User Admin Normal; AND
    4. Shield Session Parameter Value Matches

      d1. Session Parameter: Session Token Duration (seconds)

      d2. Match Type: Greater Than

      d3. Compare Parameter Value To: 7200 seconds

  1. Select response


    1. User Session Rotate Auth Cookies

The summarized rule is as follows

  • IF a request comes to the site from a valid public IP address; and
  • the user is logged-in; and
  • the user is an admin; and
  • the session parameter of session token duration is at least 7200 seconds (2 hours) ; THEN
  • logout the current user session.
  1. Give a rule name: Rotate Admin Session Tokens
  2. Give a rule description: Rotate admin session tokens after 2 hours
  3. Check both confirmation checkboxes
  4. Click to create the new rule

If we go to the Manage page, we can see that the rule is created and automatically activated and it's ready to go.

In case you lock yourself out of your own site because of your rules, please use a forceoff method outlined here and then disable that rule.

We also recommend you to read: