Need to force logout all users from your WordPress site? If you suspect a security breach or simply want to reset active sessions on a membership or LMS site, WordPress lacks a built-in tool for this. Drawing from our extensive experience securing WordPress installations for clients, we'll guide you through a reliable, straightforward method.
Running a membership site, LMS, or paywalled content? This technique ensures users re-authenticate, ideal for refreshing logins across the board.
Common triggers include suspected hacks, where logging everyone out lets you clean up safely without ongoing threats. It's also perfect for membership sites vulnerable to password sharing.
On shared public computers or unsecured WiFi (without VPN), uncertainty about logout status can linger—this method terminates all sessions instantly.
Let's dive into the secure process to log out every WordPress user.
We'll edit your wp-config.php file. Always back it up first to avoid issues—we've seen this safeguard countless times in production environments.
Connect via FTP or your cPanel File Manager. Locate wp-config.php in your site's root directory.
Right-click and edit to open in a text editor.
Look for this authentication keys block:
define ('AUTH_KEY', 'K2 # m,> O-z / IeRr?> 5lmx'Hf:'); define ('SECURE_AUTH_KEY', '-Qf ( 6G (zB' (D *)] fe; iEw? M] PU> BY: $ Ni6] ~ mYCfZ68l_M @ RuSZl6Z% W [3 '); define ('AUTH_SALT', 'PpS; 19y? W31AY @: =, RC; & 0kkNXNkP -v = Lr; ghGft:? WV5vA-lje | h A19Tfzq $ ['); define ('SECURE_AUTH_SALT', '+ H.u x4u<6-^HY+/z'); These might include placeholders like 'put your unique phrase here'. They're your site's authentication keys and salts—for deeper insight, see our comprehensive WordPress security keys guide.
Head to the official WordPress salt generator to create fresh, random keys.
Replace your existing keys with the new ones, save, and upload the file. This change invalidates all sessions, forcing immediate logouts site-wide.
On membership or user-registration sites, weak passwords are a top vulnerability—easy to crack and exploit.
Post-hack or for proactive defense, reset all passwords to prompt stronger ones. To avoid repeats, implement site-wide strong password policies.
Worried about remembering complex passwords? Password managers handle this effortlessly—check our detailed guide on managing WordPress passwords.
This approach has protected countless sites in our practice. For full protection, review our beginner's WordPress security guide.
Questions? Join our WordPress YouTube channel for video tutorials, or follow us on Twitter and Facebook.