A 2021 IBM study found that 95% of cyber security breaches result from human error, meaning that eliminating mistakes makes your website more secure. Configuring WordPress Auth Cookie Expiration on your site eliminates the most basic human errors — forgetting to sign out from a user account with immense privileges.
All human errors are often basic and look stupid in retrospect, but they can be very costly. Websites can significantly reduce their exposure to cybersecurity threats by automatically signing out logged-in users after a set period of inactivity by automatically signing out logged-in users after a set period of inactivity.
But how do you implement a WordPress auth cookie to log users out automatically?
Configuring WordPress Auth Cookie Expiration Cookie
Every website provider and CMS system acknowledges the risks of logged-in users with critical member permissions. The industry developed various ways to log users out automatically after continued inactivity.
First used in the financial services industry, user authentication cookies are now widely available. Given the extensive use of WordPress, any site owner can now use WordPress authentication cookies to have inactive logins expire according to set rules.
WordPress users can achieve this in two ways:
- Using a specialized plugin, or
- Adding a code snippet to your WP theme.
While effective, the plugin route is the least preferred, as too many plugins make websites slow. They also introduce an added security threat if not maintained regularly.
Adding a simple code snippet to your website is the best way to set up WP auth cookie for login expirations.
To automatically sign out logged-in users through WordPress auth cookie expiration, add the following auth_cookie_expiration hook and filter to the functions.php folder of your theme’s code.
/* Login for only 1 hour */
add_filter( 'auth_cookie_expiration', 'keep_me_logged_in_for_1_hour',9999,1 );
function keep_me_logged_in_for_1_hour( $expirein ) {
return 60*60;
}
Why use WP Auth Cookie Expiration
The majority of WordPress cookies expire when a browsing session ends. Out of laziness, however, some users set the browsers to “remember me” while logging in, leaving your website prone to unnecessary security threats.
This code will rectify this by signing out all logged-in users after a set period of inactivity via the WordPress Rest API cookie authentication settings selected by the admin.