Auto Logout Users with WordPress Auth Cookie Expiry

According to a 2021 IBM study, human error accounts for 95% of security breaches. One such oversight — staying logged in on high-access accounts — can be tackled by setting WordPress auth cookie expiration. Auto-logout mechanisms help eliminate such risks, forcing session timeouts after user inactivity. Let’s explore how to configure authentication cookie settings in WordPress.

Steps to Configure WordPress Auth Cookie Timeout

From banking to blogging, the idea of session timeout has become standard. WordPress lets you control cookie expiration using either plugins or code. While plugins are convenient, they can slow your site and require constant updates. A better approach is to apply a custom function in your theme. To enforce login expiration, use the following code inside your functions.php file:

/* Set session timeout to 1 hour */
add_filter( 'auth_cookie_expiration', 'keep_me_logged_in_for_1_hour', 9999, 1 );
function keep_me_logged_in_for_1_hour( $expirein ) {
    return 60*60; 
}

Why Use Authentication Cookie Expiry?

WordPress generally ends login sessions after browser closure. However, enabling the “remember me” option can keep users signed in — even if they’re inactive. This snippet overrides that behavior by enforcing a custom auth cookie timeout through the WordPress REST API system — enhancing your site’s defense posture.