Skip to content

Adam Greenwell

Session Management

Session Management tracks all active login sessions for users on your WordPress site. This security feature enables remote logout capabilities, suspicious activity detection, and session limit enforcement.

Overview

Why Session Management Matters

By default, WordPress has limited visibility into active user sessions. Users can remain logged in indefinitely across multiple devices with no way to:

  • See which devices are currently logged into their account
  • Remotely log out compromised or forgotten sessions
  • Detect when the same account is used from suspicious locations
  • Limit the number of concurrent sessions per user

Guard Dog’s Session Management provides complete visibility and control over user sessions.

Key Benefits

  • Complete visibility – See all active sessions with device, location, and activity details
  • Remote logout – Terminate any session from your profile or admin panel
  • Session limits – Automatically limit concurrent sessions per user
  • Suspicious activity detection – Detect IP shifts and geographic anomalies
  • Activity tracking – Monitor last activity time for each session
  • User and admin controls – Users manage their own sessions; admins manage all

How It Works

Session Lifecycle

  1. Login – When a user logs in, a session record is created with:
  • IP address
  • User agent (browser/device info)
  • Geographic location (country, city)
  • Timestamp
  • Session token hash
  1. Activity Tracking – As the user browses the site:
  • Last activity timestamp is updated
  • IP address changes are monitored
  • Session validity is verified on each request
  1. Logout – When a user logs out or is terminated:
  • Session record is removed
  • Authentication cookies are cleared
  • Event is logged in Activity Log

Session Validation

On every page request, Guard Dog validates the session:

  • Verifies session exists in database
  • Checks for IP address changes (if detection enabled)
  • Compares location against other active sessions
  • Enforces session timeout based on inactivity
  • Marks suspicious sessions for review

Configuration

Navigate to Guard Dog → Sessions → Settings to configure:

Basic Settings

Enable Session Tracking:

  • Default: Enabled
  • Description: Track all user login sessions
  • Recommendation: Keep enabled for security visibility

Maximum Sessions Per User:

  • Default: 5
  • Range: 1 – 20
  • Description: Maximum concurrent sessions allowed per user
  • When limit reached: Oldest session is automatically terminated
  • Recommendation: 3-5 for most sites

Session Timeout:

  • Default: 60 minutes
  • Range: 5 – 1440 minutes (24 hours)
  • Description: Inactivity period before session expires
  • Recommendation: 60 minutes for standard security; lower for sensitive sites

Security Detection

Detect IP Shifts:

  • Default: Enabled
  • Description: Flag when a session’s IP address changes
  • Use Case: Detects session hijacking or VPN switching
  • Note: May flag legitimate mobile users switching networks

Detect Geographic Anomalies:

  • Default: Enabled
  • Description: Flag concurrent sessions from different countries
  • Use Case: Detects account sharing or credential theft
  • Note: Requires two or more active sessions

Notify Users:

  • Default: Disabled
  • Description: Email users when suspicious activity is detected
  • Use Case: Alert users to potential account compromise

User Profile: Active Sessions

Users can view and manage their sessions from their WordPress profile:

  1. Go to Users → Profile
  2. Scroll to “Active Sessions” section

Session Information Displayed

For each active session, users see:

  • Device/Browser – Parsed from user agent (e.g., “Chrome on Windows”)
  • IP Address – Source IP of the session
  • Location – City and country (if available)
  • Last Activity – When the session was last used
  • Current Badge – Indicates which session you’re using now
  • Suspicious Badge – If session has been flagged

Managing Sessions

Terminate Single Session:

  1. Find the session in the list
  2. Click “Terminate” button
  3. Confirm the action
  4. Session is immediately ended

Current Session:

  • Cannot terminate your current session from this interface
  • Use the WordPress “Log Out” link instead

Admin Panel: Sessions Management

Administrators can manage all user sessions:

  1. Go to Guard Dog → Sessions

Sessions List

View all active sessions across all users with:

  • User name and avatar
  • Session details (device, IP, location)
  • Last activity time
  • Suspicious activity indicators
  • Quick terminate actions

Filtering and Search

  • Filter by specific user
  • Sort by last activity, creation date
  • Search by IP address or username

Bulk Actions

  • Terminate all sessions for a specific user
  • Terminate sessions matching specific criteria

Suspicious Activity Detection

Guard Dog monitors for two types of suspicious behavior:

IP Shift Detection

What it detects: A session’s IP address changes during use.

Why it matters:

  • Could indicate session hijacking (attacker stole session cookie)
  • Could indicate credential theft

Legitimate causes:

  • Mobile user switching from WiFi to cellular
  • VPN connection/disconnection
  • ISP assigning new dynamic IP

Response:

  • Session flagged as suspicious
  • Event logged in Activity Log
  • Optional email notification to user

Geographic Anomaly Detection

What it detects: Same user logged in from different countries simultaneously.

Why it matters:

  • Physically impossible to be in two countries at once
  • Strong indicator of credential theft or account sharing

Response:

  • All sessions flagged
  • Admin notification via dashboard
  • Optional email notification to user

Session Limit Enforcement

When a user exceeds the maximum session limit:

  1. New login occurs
  2. Guard Dog checks active sessions
  3. If limit exceeded:
  • Oldest session (by creation time) is terminated
  • User logged out on that device
  • New session is created
  1. Event logged in Activity Log

Enforcement Strategy

  • Oldest session terminated (not most inactive)
  • User not prevented from logging in
  • No notification to user about terminated session

Activity Logging

Session events are logged in the Activity Log:

EventDescription
session_createdNew session started
session_terminatedSession manually terminated by user/admin
session_terminated_limitSession terminated due to max sessions limit
session_expiredSession expired due to inactivity
session_ip_shiftIP address changed mid-session
session_geo_anomalyConcurrent sessions in different countries

View logs in Guard Dog → Activity Log and filter by session events.

Common Use Cases

Small Business Site

Scenario: Company site with 10-20 employees

Configuration:

  • Max sessions: 3 (office, home, mobile)
  • Timeout: 60 minutes
  • IP shift detection: Enabled
  • Geo anomaly detection: Enabled

E-commerce Site

Scenario: Online store with customer accounts

Configuration:

  • Max sessions: 5 (allow multiple devices)
  • Timeout: 30 minutes (security)
  • IP shift detection: Enabled
  • User notifications: Enabled (alert customers)

Multi-Admin WordPress

Scenario: Agency managing multiple sites

Configuration:

  • Max sessions: 2 (strict control)
  • Timeout: 120 minutes (allow longer work sessions)
  • Both detection types: Enabled
  • Admin notifications: Enabled

Integration with Other Features

IP Reputation

When IP Reputation is enabled, session management can:

  • Check reputation of login IP
  • Flag high-risk sessions
  • Terminate sessions from known malicious IPs

Two-Factor Authentication

Sessions work seamlessly with 2FA:

  • 2FA required for new sessions
  • Existing sessions remain valid
  • Session termination requires re-authentication

Passkeys

Passkey logins create normal sessions:

  • Session tracked same as password logins
  • Same timeout and limit rules apply
  • All session management features work

Troubleshooting

Sessions Not Appearing

Symptoms: No sessions shown in profile or admin

Check:

  1. Session tracking enabled? (Guard Dog → Sessions → Settings)
  2. Database table exists? (Check wp_guard_dog_sessions)
  3. User has valid login? (Try logging out and back in)

Unexpected Logouts

Symptoms: Users being logged out unexpectedly

Possible causes:

  1. Session limit reached
  • Check max sessions setting
  • User may have exceeded limit
  1. Session timeout
  • Check timeout setting
  • User may have been inactive
  1. Manual termination
  • Check Activity Log for termination events
  • Admin may have terminated session
  1. IP shift detection
  • Check if IP shift terminates sessions
  • User may have changed networks

False Positive IP Shifts

Symptoms: Sessions flagged as suspicious for legitimate IP changes

Causes:

  • Mobile users switching networks
  • VPN users connecting/disconnecting
  • Dynamic IP assignments

Solutions:

  1. Disable IP shift detection if too noisy
  2. Educate users about the alerts
  3. Consider detection as informational, not blocking

Session Database Growing Large

Symptoms: wp_guard_dog_sessions table has many rows

Note: Active sessions should be small. Expired sessions are cleaned up automatically.

If issue persists:

  1. Verify cleanup cron is running
  2. Check for stuck/orphaned sessions
  3. Manually clean up old sessions

Best Practices

  1. Set reasonable limits – 3-5 sessions per user balances security and convenience
  2. Configure appropriate timeout – Match your site’s security requirements
  3. Enable detection features – IP shift and geo anomaly detection catch real attacks
  4. Monitor Activity Log – Regular review catches suspicious patterns
  5. Communicate with users – Let users know about session management features
  6. Consider user experience – Very strict limits frustrate legitimate users
  7. Test before deployment – Verify settings work as expected
  8. Document for support – Create help content for users

FAQ

Q: Can users see other users’ sessions?
A: No. Users only see their own sessions. Only administrators can see all sessions.

Q: What happens when I terminate a session?
A: The user is immediately logged out on that device. They must log in again.

Q: Does session limit affect administrators?
A: Yes. The limit applies to all users including administrators.

Q: What if I get locked out?
A: Use the WordPress password reset function. Sessions don’t affect password reset.

Q: How accurate is the location data?
A: Location is based on IP geolocation, which is typically accurate to city level. VPNs may show incorrect locations.

Q: Can I disable session management for specific users?
A: Not currently. Session management applies to all users when enabled.

Q: How long are session records kept?
A: Active sessions are kept until logout or expiration. Expired sessions are cleaned up by scheduled task.

Q: Will this slow down my site?
A: No. Session checks are lightweight and optimized. Database queries are indexed.

Back to Guard Dog Documentation Index→