Secure WordPress: Set Auth Cookie Expiry in 1 Hour

A 2021 IBM report revealed that 95% of cyber incidents are caused by human mistakes. One simple step to prevent such errors is configuring your WordPress auth cookie expiration to auto-logout users after inactivity. Often overlooked, these minor user errors can lead to serious vulnerabilities. By setting your site to automatically sign out users after idle time, you greatly reduce security risks. So how can you set up a WordPress authentication cookie to handle this?

How to Set WordPress Auth Cookie Expiration

Most platforms understand that keeping privileged users logged in indefinitely is risky. That’s why authentication cookies — first popularized in finance — are used to expire sessions automatically. Today, WordPress allows site owners to control auth cookie timeouts with either:

• A third-party plugin, or
• A custom code snippet

Using too many plugins can slow your website and open new vulnerabilities. So, using a code snippet in your theme’s functions.php file is the most efficient route. Here’s the code to automatically log users out after 1 hour:

/* Login expires after 1 hour */
add_filter( 'auth_cookie_expiration', 'keep_me_logged_in_for_1_hour', 9999, 1 );
function keep_me_logged_in_for_1_hour( $expirein ) {
    return 60*60; 
}

Benefits of Auth Cookie Expiry in WordPress

While WordPress cookies typically expire at session end, many users select “remember me” during login, unintentionally keeping sessions alive. This can become a serious issue. Using this simple code ensures users are logged out after inactivity — boosting your site’s overall security through REST API cookie settings.