plugin-icon

Vegestic – Users Login Limit

Control concurrent login sessions per user — set limits, track login history, and force logout from your dashboard.
版本
1.0.0
最后更新
Jul 7, 2026

Vegestic – Users Login Limit lets WordPress administrators control how many simultaneous login sessions each user can have. This is useful for shared accounts, subscription sites, membership sites, and any site where you want to prevent credential sharing.

Key Features

  • Session Limiting — Set a maximum number of concurrent sessions per user. When the limit is reached, new login attempts are blocked until an existing session ends.
  • Login History — Track up to 50 login and blocked-attempt records per user, with timestamps and status.
  • IP Address Logging — Automatically records the IP address on each login event.
  • Location Detection — Resolves the approximate geographic location from the IP address using free public geo APIs. Results are cached to minimize external requests.
  • Active Sessions View — See all currently active session tokens for a managed user with login time and device information.
  • Force Logout — Destroy all active sessions for a user with one click, right from the dashboard.
  • Custom Block Message — Edit the error message shown on the login page when a user exceeds their session limit.
  • CSV Export — Export a user’s full login history to a CSV file from the User Details page.
  • Unlimited Protected Users — Add as many users to the block list as you need.
  • GDPR / Privacy Ready — Integrates with WordPress’s built-in privacy data exporter and data eraser tools.

How It Works

  1. Go to Vegestic – Users Login Limit Block Users and add a user.
  2. Set their session limit (e.g., 1 for a single device, 2 for two devices).
  3. Enable the limit for that user.
  4. From that point on, when the user tries to log in from more devices than their limit allows, they will see a block message and be prevented from creating a new session.

Privacy

This plugin records the following data for users on the protected list, stored in WordPress user meta (wpll_login_meta):

  • Login timestamp
  • IP address of each login
  • Approximate geographic location derived from the IP (via free public geo-IP APIs)
  • Browser user agent string
  • Session token identifiers

No data is sent to third-party services unless you are using the geo-location feature, which makes outbound HTTP requests to free public APIs (ipapi.co, ipwho.is, freeipapi.com, ip-api.com) to look up an IP address’s approximate location. These requests include the IP address being resolved and your site’s URL as a User-Agent string, consistent with normal API usage.

Location results are cached as WordPress transients for 12 hours to minimise external API calls.

add_filter( 'wpll_geo_api_providers', '__return_empty_array' );

Users can request deletion of their session data through WordPress’s built-in privacy tools (Tools Erase Personal Data), or you can delete it manually via Users Edit User.

External Services

This plugin connects to free public IP geolocation APIs to resolve the approximate geographic location of a user’s IP address. This occurs only when a user on the protected list logs in or is blocked from logging in. No requests are made to any external service for users not on the protected list, or if location detection is disabled.

The following data is sent to these services: the connecting user’s IP address and your site’s URL (included as part of the standard User-Agent header, consistent with normal WordPress HTTP API usage).

ipapi.co

Used for IP geolocation lookups. * Privacy Policy: https://ipapi.co/privacy/ * Terms of Service: https://ipapi.co/terms/

ipwho.is

Used as a fallback IP geolocation provider. * Privacy Policy: https://ipwhois.io/privacy * Terms of Service: https://ipwhois.io/terms

freeipapi.com

Used as a fallback IP geolocation provider. * Privacy Policy: https://freeipapi.com/privacy * Terms of Service: https://freeipapi.com/terms

ip-api.com

Used as a fallback IP geolocation provider. * Privacy Policy: https://ip-api.com/docs/legal * Terms of Service: https://ip-api.com/docs/legal

Location results are cached as WordPress transients for 12 hours to minimise external API calls. Only valid, publicly routable IP addresses trigger an external lookup — private/local IPs are identified as “Local Network” without any outbound request.

You can disable all location lookups entirely by adding this to your theme’s functions.php or a custom plugin:

add_filter( 'wpll_geo_api_providers', '__return_empty_array' );
免费基于付费套餐
通过安装,您同意 WordPress.com 服务条款第三方插件条款
目前已测试版本
WordPress 7.0
这个插件是可用的下载,适用于您的站点。