preloader

How to Force Logout All WordPress Users and Reset Active Sessions

After a security incident, password change, or suspected compromise, you may need to force all WordPress users to log out immediately. User Login Log shows who is logged in — here is how to terminate those sessions.

Terminating a Specific User Session

Go to Users in the WordPress admin and click on a specific user to edit their profile. Scroll down to the Sessions section. You will see the active sessions for that user including the browser and IP address. Click Log Out Everywhere Else to terminate all sessions for that user except the one you are currently using (as admin). The user will be logged out on all devices and need to log in again.

Forcing All Users to Log Out at Once

WordPress stores authentication in two places: the auth_cookie (a browser cookie) and the secret_key values in wp-config.php. Changing the secret keys invalidates all existing authentication cookies across all users simultaneously — everyone is logged out and must log in again.

To change secret keys:

  1. Go to api.wordpress.org/secret-key/1.1/salt/ to generate a new set of keys.
  2. Open wp-config.php via FTP or your host’s file manager.
  3. Find the section with define(‘AUTH_KEY’, …) and the following lines.
  4. Replace all eight define() calls with the newly generated values.
  5. Save the file.

All WordPress authentication cookies are immediately invalidated. Every logged-in user on every device — including admins — is logged out. Make sure you know your password before doing this.

When to Use This

Force-logout all users when:

  • You have had a confirmed security incident and suspect active attacker sessions.
  • A former employee or contributor still has active sessions after their access should have been revoked.
  • You are changing the site’s authentication system (switching to SSO, for example).
  • You have reset admin passwords and want to ensure old sessions using old credentials are terminated.

Checking for Active Attacker Presence After a Compromise

After terminating all sessions and changing passwords, check for backdoors an attacker may have installed to regain access. Common backdoor locations:

  • New admin user accounts created by the attacker — review all admin users in Users screen.
  • Modified core WordPress files — use the WordPress Integrity Checker or Wordfence file integrity scan.
  • Malicious files in wp-content/uploads — attackers often place PHP files in the uploads directory.
  • Code added to theme functions.php or plugin files.

Using WP Activity Log for Forensics

After a suspicious login, WP Activity Log shows every admin action taken during the suspicious session — what pages were edited, which plugins were changed, what files were modified. This forensic trail helps you understand the scope of the compromise and what to review and repair.

For security incident response, post-compromise cleanup, and hardening WordPress after a breach, a WordPress security developer can perform a full investigation and remediation.

Keep Reading

Previous Post WordPress Login Security: What to Monitor and How to Respond Next Post WooCommerce Back in Stock Notifications: Setup and Best Practices

Need Help With Your WordPress Site?

If you need help with WordPress fixes, plugin issues, theme customization, or development work, feel free to get in touch.

Get a Free Estimate