Skip to content

Adam Greenwell

Session Management

Session Management tracks all active login sessions for users on your WordPress site. This security feature enables remote logout capabilities, suspicious activity detection, and session limit enforcement.

Overview

Why Session Management Matters

By default, WordPress has limited visibility into active user sessions. Users can remain logged in indefinitely across multiple devices with no way to:

  • See which devices are currently logged into their account
  • Remotely log out compromised or forgotten sessions
  • Detect when the same account is used from suspicious locations
  • Limit the number of concurrent sessions per user

Guard Dog's Session Management provides complete visibility and control over user sessions.

Key Benefits

  • Complete visibility – See all active sessions with device, location, and activity details
  • Remote logout – Terminate any session from your profile or admin panel
  • Session limits – Automatically limit concurrent sessions per user
  • Suspicious activity detection – Detect IP shifts and geographic anomalies
  • Activity tracking – Monitor last activity time for each session
  • User and admin controls – Users manage their own sessions; admins manage all

How It Works

Session Lifecycle

  1. Login – When a user logs in, a session record is created with:

    • IP address
    • User agent (browser/device info)
    • Geographic location (country, city)
    • Timestamp
    • Session token hash

  2. Activity Tracking – As the user browses the site:

    • Last activity timestamp is updated
    • IP address changes are monitored
    • Session validity is verified on each request

  3. Logout – When a user logs out or is terminated:

    • Session record is removed
    • Authentication cookies are cleared
    • Event is logged in Activity Log

Session Validation

On every page request, Guard Dog validates the session:

  • Verifies session exists in database
  • Checks for IP address changes (if detection enabled)
  • Compares location against other active sessions
  • Enforces session timeout based on inactivity
  • Marks suspicious sessions for review

Configuration

Navigate to Guard Dog → Sessions → Settings to configure:

Basic Settings

Enable Session Tracking:

  • Default: Enabled
  • Description: Track all user login sessions
  • Recommendation: Keep enabled for security visibility

Maximum Sessions Per User:

  • Default: 5
  • Range: 1 – 20
  • Description: Maximum concurrent sessions allowed per user
  • When limit reached: Oldest session is automatically terminated
  • Recommendation: 3-5 for most sites

Session Timeout:

  • Default: 60 minutes
  • Range: 5 – 1440 minutes (24 hours)
  • Description: Inactivity period before session expires
  • Recommendation: 60 minutes for standard security; lower for sensitive sites

Security Detection

Detect IP Shifts:

  • Default: Enabled
  • Description: Flag when a session's IP address changes
  • Use Case: Detects session hijacking or VPN switching
  • Note: May flag legitimate mobile users switching networks

Detect Geographic Anomalies:

  • Default: Enabled
  • Description: Flag concurrent sessions from different countries
  • Use Case: Detects account sharing or credential theft
  • Note: Requires two or more active sessions

Notify Users:

  • Default: Disabled
  • Description: Email users when suspicious activity is detected
  • Use Case: Alert users to potential account compromise

Reverse Proxy / Load Balancer

If your site is behind a reverse proxy, load balancer, or CDN (such as Cloudflare, Kinsta, WP Engine, AWS ELB, or similar), you may need to configure IP detection so Guard Dog sees your visitors' real IP addresses instead of the proxy's IP.

Why this matters: Without proper configuration, Guard Dog may detect the proxy server's IP address for all visitors. This causes false IP shift alerts (every alert shows the same infrastructure IP), inaccurate session location data, and ineffective IP-based security features.

IP Detection Method:

  • Auto (default) – Checks all common proxy headers in priority order
  • Cloudflare – Uses only the CF-Connecting-IP header (recommended for Cloudflare sites)
  • X-Forwarded-For – Uses only the X-Forwarded-For header (common with Nginx, AWS ELB, Google Cloud)
  • X-Real-IP – Uses only the X-Real-IP header (common with Nginx reverse proxy)
  • REMOTE_ADDR Only – Ignores all proxy headers, uses direct connection IP

Trusted Proxy IPs:

  • Enter the IP addresses or CIDR ranges of your proxy servers, one per line
  • When configured, Guard Dog only trusts forwarded headers from these specific IPs
  • When empty (default), all forwarded headers are trusted for backwards compatibility
  • Examples: 34.145.254.243, 172.16.0.0/12, 10.0.0.0/8

Detected IP:

  • A read-only diagnostic field showing what IP Guard Dog currently detects for your browser
  • Use this to verify your configuration is working correctly
  • If it shows a proxy/infrastructure IP instead of your real IP, your settings need adjustment

Common configurations:

Hosting / CDN Detection Method Trusted Proxy IPs
Cloudflare Cloudflare Cloudflare IP ranges
Kinsta (Google Cloud) X-Forwarded-For Your site's infrastructure IP
WP Engine X-Forwarded-For WP Engine gateway IPs
AWS ELB / ALB X-Forwarded-For Load balancer subnet
Nginx reverse proxy X-Real-IP or X-Forwarded-For Proxy server IP

Important: Misconfiguring these settings can affect all IP-based security features including login limiting, access control, IP reputation, and session monitoring. Always verify using the "Detected IP" field after making changes.

User Profile: Active Sessions

Users can view and manage their sessions from their WordPress profile:

  1. Go to Users → Profile
  2. Scroll to "Active Sessions" section

Session Information Displayed

For each active session, users see:

  • Device/Browser – Parsed from user agent (e.g., "Chrome on Windows")
  • IP Address – Source IP of the session
  • Location – City and country (if available)
  • Last Activity – When the session was last used
  • Current Badge – Indicates which session you're using now
  • Suspicious Badge – If session has been flagged

Managing Sessions

Terminate Single Session:

  1. Find the session in the list
  2. Click "Terminate" button
  3. Confirm the action
  4. Session is immediately ended

Current Session:

  • Cannot terminate your current session from this interface
  • Use the WordPress "Log Out" link instead

Frontend Shortcodes and Blocks

Guard Dog includes frontend active-session management for account pages and block-based themes.

Use the sessions primitive when a logged-in account page should show active devices and remote logout controls:

[guard_dog_sessions style="default"]

The matching dynamic block is Guard Dog Sessions (guard-dog/sessions). The style attribute accepts default, minimal, or compact.

Use the composite account-security surface when the same page should also include 2FA and passkeys:

[guard_dog_account_security show_2fa="true" show_passkeys="true" show_sessions="true"]

The sessions surface only renders when session tracking is enabled and the visitor is logged in. Like the other Guard Dog frontend account modules, it generates unique IDs so multiple modules can be placed on the same page safely.

Admin Panel: Sessions Management

Administrators can manage all user sessions:

  1. Go to Guard Dog → Sessions

Sessions List

View all active sessions across all users with:

  • User name and avatar
  • Session details (device, IP, location)
  • Last activity time
  • Suspicious activity indicators
  • Quick terminate actions
  • Filter by specific user
  • Sort by last activity, creation date
  • Search by IP address or username

Bulk Actions

  • Terminate all sessions for a specific user
  • Terminate sessions matching specific criteria

Suspicious Activity Detection

Guard Dog monitors for two types of suspicious behavior:

IP Shift Detection

What it detects: A session's IP address changes during use.

Why it matters:

  • Could indicate session hijacking (attacker stole session cookie)
  • Could indicate credential theft

Legitimate causes:

  • Mobile user switching from WiFi to cellular
  • VPN connection/disconnection
  • ISP assigning new dynamic IP

Response:

  • Session flagged as suspicious
  • Event logged in Activity Log
  • Optional email notification to user

Geographic Anomaly Detection

What it detects: Same user logged in from different countries simultaneously.

Why it matters:

  • Physically impossible to be in two countries at once
  • Strong indicator of credential theft or account sharing

Response:

  • All sessions flagged
  • Admin notification via dashboard
  • Optional email notification to user

Session Limit Enforcement

When a user exceeds the maximum session limit:

  1. New login occurs
  2. Guard Dog checks active sessions
  3. If limit exceeded:
    • Oldest session (by creation time) is terminated
    • User logged out on that device
    • New session is created
  4. Event logged in Activity Log

Enforcement Strategy

  • Oldest session terminated (not most inactive)
  • User not prevented from logging in
  • No notification to user about terminated session

Activity Logging

Session events are logged in the Activity Log:

Event Description
session_created New session started
session_terminated Session manually terminated by user/admin
session_terminated_limit Session terminated due to max sessions limit
session_expired Session expired due to inactivity
session_ip_shift IP address changed mid-session
session_geo_anomaly Concurrent sessions in different countries

View logs in Guard Dog → Activity Log and filter by session events.

Common Use Cases

Small Business Site

Scenario: Company site with 10-20 employees

Configuration:

  • Max sessions: 3 (office, home, mobile)
  • Timeout: 60 minutes
  • IP shift detection: Enabled
  • Geo anomaly detection: Enabled

E-commerce Site

Scenario: Online store with customer accounts

Configuration:

  • Max sessions: 5 (allow multiple devices)
  • Timeout: 30 minutes (security)
  • IP shift detection: Enabled
  • User notifications: Enabled (alert customers)

Multi-Admin WordPress

Scenario: Agency managing multiple sites

Configuration:

  • Max sessions: 2 (strict control)
  • Timeout: 120 minutes (allow longer work sessions)
  • Both detection types: Enabled
  • Admin notifications: Enabled

Site Behind CDN / Load Balancer

Scenario: Site hosted on Kinsta, WP Engine, or behind Cloudflare / AWS ELB

Configuration:

  • IP Detection Method: Match your infrastructure (e.g., "X-Forwarded-For" for Kinsta, "Cloudflare" for Cloudflare)
  • Trusted Proxy IPs: Your proxy/load balancer IP addresses
  • IP shift detection: Enabled (works correctly once proxy is configured)
  • Verify: Check "Detected IP" field shows your real IP, not the proxy IP

Why this matters: Without proxy configuration, all visitors may appear to have the same IP address (your proxy server), causing false IP shift alerts and making IP-based security features ineffective.

Integration with Other Features

IP Reputation

When IP Reputation is enabled, session management can:

  • Check reputation of login IP
  • Flag high-risk sessions
  • Terminate sessions from known malicious IPs

Two-Factor Authentication

Sessions work seamlessly with 2FA:

  • 2FA required for new sessions
  • Existing sessions remain valid
  • Session termination requires re-authentication

Passkeys

Passkey logins create normal sessions:

  • Session tracked same as password logins
  • Same timeout and limit rules apply
  • All session management features work

Troubleshooting

Sessions Not Appearing

Symptoms: No sessions shown in profile or admin

Check:

  1. Session tracking enabled? (Guard Dog → Sessions → Settings)
  2. Database table exists? (Check wp_guard_dog_sessions)
  3. User has valid login? (Try logging out and back in)

Unexpected Logouts

Symptoms: Users being logged out unexpectedly

Possible causes:

  1. Session limit reached

    • Check max sessions setting
    • User may have exceeded limit

  2. Session timeout

    • Check timeout setting
    • User may have been inactive

  3. Manual termination

    • Check Activity Log for termination events
    • Admin may have terminated session

  4. IP shift detection

    • Check if IP shift terminates sessions
    • User may have changed networks

False Positive IP Shifts

Symptoms: Sessions flagged as suspicious for legitimate IP changes

Causes:

  • Mobile users switching networks
  • VPN users connecting/disconnecting
  • Dynamic IP assignments
  • Reverse proxy or CDN returning infrastructure IP instead of real visitor IP (most common cause of widespread false alerts)

Solutions:

  1. If all alerts show the same IP address: This almost certainly means your site is behind a reverse proxy or CDN and IP detection is not configured correctly. See Reverse Proxy / Load Balancer above to configure the correct detection method and trusted proxy IPs. This is the most common cause of false IP shift alerts.

  2. If alerts show varied but legitimate IPs: These are likely caused by mobile network switching, VPN usage, or dynamic IP reassignment. Consider:

    • Keeping detection as informational (not blocking)
    • Educating users about the alerts
    • Disabling IP shift detection if too noisy for your user base

Session Database Growing Large

Symptoms: wp_guard_dog_sessions table has many rows

Note: Active sessions should be small. Expired sessions are cleaned up automatically.

If issue persists:

  1. Verify cleanup cron is running
  2. Check for stuck/orphaned sessions
  3. Manually clean up old sessions

Best Practices

  1. Set reasonable limits – 3-5 sessions per user balances security and convenience

  2. Configure appropriate timeout – Match your site's security requirements

  3. Enable detection features – IP shift and geo anomaly detection catch real attacks

  4. Monitor Activity Log – Regular review catches suspicious patterns

  5. Communicate with users – Let users know about session management features

  6. Consider user experience – Very strict limits frustrate legitimate users

  7. Test before deployment – Verify settings work as expected

  8. Document for support – Create help content for users

FAQ

Q: Can users see other users' sessions?
A: No. Users only see their own sessions. Only administrators can see all sessions.

Q: What happens when I terminate a session?
A: The user is immediately logged out on that device. They must log in again.

Q: Does session limit affect administrators?
A: Yes. The limit applies to all users including administrators.

Q: What if I get locked out?
A: Use the WordPress password reset function. Sessions don't affect password reset.

Q: How accurate is the location data?
A: Location is based on IP geolocation, which is typically accurate to city level. VPNs may show incorrect locations.

Q: Can I disable session management for specific users?
A: Not currently. Session management applies to all users when enabled.

Q: How long are session records kept?
A: Active sessions are kept until logout or expiration. Expired sessions are cleaned up by scheduled task.

Q: Will this slow down my site?
A: No. Session checks are lightweight and optimized. Database queries are indexed.

← Passkeys | Documentation Home | User Enumeration Protection →