How to Restrict User Login to One Device in WordPress

If your WordPress site has user accounts, someone is sharing their login credentials.

It might be a student passing their course password to a friend, a member sharing their subscription with family, or a customer splitting a software license across a team.

Either way, you’re losing revenue, and your user data stops making sense.

Netflix cracked down on account sharing across 100 million households. Not because it was easy, but because the revenue loss was real. Your site faces the same problem, but on a smaller scale.

In this tutorial, I’ll show you how to restrict user login to one active device at a time in WordPress. No developer needed.

You’ll use a free plugin for the core restriction and WPCode to set exemptions for specific users or roles.

Whether you’re running a membership site, managing a subscription product, or selling online courses, this setup takes about 15 minutes and runs automatically from there.

Key Takeaways

• I’ll show you a free plugin that limits each account to one active login with a single setting change
• I cover two login logic behaviors and explain which one is less disruptive for your users
• Reveal how to exempt specific users or roles using WPCode, without touching your theme files
• I walk through how to target the restriction by device type, so mobile and desktop sessions can be treated differently
• I show you how to test that the restriction is working before you push it live

What We’ll Accomplish in This Tutorial

By the end of this guide, every user account on your site will be locked to one active login session at a time.

When someone tries to log in from a second device, WordPress will either block the attempt or silently end their previous session. It’s your choice.

This works on any WordPress site with user accounts: membership sites, online courses, subscription products, or multi-author blogs.

What you’ll have set up:

• A per-account login limit enforced automatically on every login
• Optional exemptions for admins, editors, or specific VIP user IDs
• A working test to confirm the restriction is live

What a blocked user sees when they try to log in from a second device.

What You’ll Need Before We Start

Skill level: Intermediate
Time to complete: ~15 minutes

• Loggedin – Limit Concurrent Sessions – free plugin from the WordPress repository.
  • No purchase needed for what we’re doing here.
  • Install it like any other plugin (Plugins » Add New, search “Loggedin”).
• WPCode – only needed for Method 2 (user and role exemptions).
  • The free WPCode Lite version is enough. Install it the same way.
• WordPress admin access – you’ll need to reach the Settings and Code Snippets menus.
• User IDs for anyone you want to exempt – Method 2 only. I’ll show you how to find these quickly if you don’t know them.

How to Restrict User Login to One Device in WordPress

Now, since I will be showing you two methods, I have broken down the steps into simple sections. You can use the table of contents below to skip to any method or step you want to read.

With all that ready, let’s dive in.

Method 1: Loggedin – Limit Concurrent Sessions

This is where I’d start on any site.

The Loggedin – Limit Concurrent Sessions plugin is free, requires no code, and enforces the restriction automatically from the moment you save your settings. There’s nothing to maintain once it’s running.

One thing worth knowing before you configure it: the plugin defaults to allowing 3 active logins per user when you first activate it. So it’s already doing something, just not restricting tightly enough yet.

Step 1: Install and Configure Your Login Limit

As mentioned, Loggedin – Limit Concurrent Sessions is a free plugin.

As a result, you can access it by going to All Plugins » Add New Plugin in your WordPress dashboard. After this, use the search bar to find the tool from your WordPress plugin repository.

If you face any issues, check out my tutorial on how to install plugins for direction.

Once installed and activated, go to Settings » General. Note that this is the “Settings” option native to WordPress, not in its own menu item.

After this, scroll to the bottom of that page, and you’ll find the Loggedin Settings section.

Here’s exactly what to do:

1. Find the Maximum Active Logins field and change the value to 1.
2. Don’t save yet, set the Login Logic first (next step).

⚠️Quick Check: Make sure you’re in Settings » General, not the Loggedin plugin’s own page. The settings don’t appear in a dedicated plugin menu.

Step 2: Choose Your Login Logic

This is the decision that actually matters and it’s one most tutorials skip past.

The Login Logic dropdown has two options: Allow and Block. They sound similar but behave completely differently from your users’ perspective.

• Allow means: when a second login attempt comes in, WordPress lets it through. But silently ends the user’s oldest active session. The person already logged in gets kicked out with no warning. They’ll just find themselves at the login screen, wondering what happened.
• Block means: the new login attempt is rejected. The person trying to log in sees an error message telling them the account is already in use. Their existing session stays active.

Here’s the thing: which you choose depends on your audience.

Block works best for membership or course sites where you want clear enforcement, and you’re OK with some friction. Allow is less confrontational and suits internal teams or lower-stakes setups where silent session replacement is fine.

Once you’ve decided, select your option from the dropdown and click Save Changes.

Step 3: Force Logout Existing Sessions

This step is optional, but I’d run it on launch day.

When you first enable the restriction, users who were already logged in on multiple devices stay logged in. The limit only kicks in on new logins. Force Logout clears that.

To use it, you’ll need the WordPress user ID for any account you want to reset.

Here’s the fastest way to find one: go to Users » All Users, hover over any username, and look at the URL shown in your browser’s status bar. You’ll see something like ?user_id=5. That number is the ID.

Enter the ID in the Force Logout field and click the button. That user is immediately logged out of all active sessions.

Step 4: Set Your Cache Level

If you’re running a caching plugin like WP Rocket, W3 Total Cache, LiteSpeed Cache, or similar, this setting matters.

The wrong cache level can cause WordPress to serve stale session data, which makes the login restriction behave unpredictably.

The Loggedin Settings section includes a Cache Level dropdown with four options:

• Normal – the right choice for most sites. Handles standard WordPress caching setups.
• Asset Only – caches static files (CSS, JS) but not session data. Good for lighter caching configs.
• Advanced – use this if you’re running an aggressive full-page caching setup.
• Off – only if you’re not using any caching at all.

For most membership or course sites running WP Rocket or similar, Normal works fine. Click Save Changes once you’ve selected your level.

That’s it. You can now restrict users to one device on your WordPress site. Check out the screenshot below to see what to expect.

What if you want more control? That is where Method 2 comes in.

Method 2: WPCode – Exempt Specific Users or Roles

Method 1 applies the restriction to every user on your site. That’s usually what you want but not always.

Administrators, editors, or high-value members often need access from multiple devices. Kicking your own admin account off a second tab is frustrating.

If you want to manage who has which access on your site, exemptions are the right approach.

This is where WPCode comes in. You’ll add a short PHP snippet that tells Loggedin to skip the restriction for specific user IDs or roles, without editing the theme files or your child theme.

The free version, WPCode Lite, is all you need here.

It gives you a dedicated interface for managing snippets, keeps your code separate from your theme, and makes it easy to toggle snippets on or off without breaking anything.

The free WPCode Lite version has a library of 130+ pre-built snippets and supports custom PHP, which is exactly what we’re using.

You can find it in the WordPress repository under Plugins » Add New and search for “WPCode.”

After this, install and activate it like any other plugin.

Step 1: Create a New PHP Snippet

Once WPCode is installed and active, you’ll see a Code Snippets menu item in your WordPress sidebar.

Here’s exactly what to do:

1. Go to Code Snippets » + Add Snippet in your dashboard.
2. You’ll land on the snippet library. Look for the Add Your Custom Code (New Snippet) option.
3. Hover over it and click Use snippet.
4. A popup appears asking what type of code you’re adding. Click PHP Snippet.

Step 2: Exempt Specific Users

Now you’re in the snippet editor. This is where you add the code that bypasses the login restriction for individual user accounts.

Here’s exactly what to do:

1. Give your snippet a clear title, something like Bypass Login Restrictions for Certain Users.
2. Paste this code into the Code Preview pane:

<code>function loggedin_bypass_users( $bypass, $user_id ) {<br>    $allowed_users = array( 1, 2, 3 );<br>    if ( in_array( $user_id, $allowed_users ) ) {<br>        $bypass = true;<br>    }<br>    return $bypass;<br>}<br>add_filter( 'loggedin_bypass', 'loggedin_bypass_users', 10, 2 );</code>

3. Replace 1, 2, 3 in the $allowed_users array with the actual user IDs you want to exempt.

To find a user’s ID: go to Users » All Users, hover over their username, and look at the URL in your browser’s status bar. You’ll see ?user_id=X. That number is their ID.

This is the same process we used in Method

Step 3: Exempt Specific Roles

If you’d rather exempt entire roles instead of individual users, create a second snippet using this code. The process is identical to Step 2.

All you have to do is select Add Your Custom Code (New Snippet), then PHP type, and paste the code.

function loggedin_bypass_roles( $bypass, $user_id ) {
    $allowed_roles = array( 'administrator', 'editor' );
    $user = get_userdata( $user_id );
    if ( $user && array_intersect( $allowed_roles, $user->roles ) ) {
        $bypass = true;
    }
    return $bypass;
}
add_filter( 'loggedin_bypass', 'loggedin_bypass_roles', 10, 2 );

Once done, edit the $allowed_roles array to match the roles on your site.

By default, it exempts administrators and editors. So, remove ‘editor’ if you only want admins exempt, or add other roles like ‘shop_manager’ or ‘subscriber’.

Step 4: Set Device Type (Optional)

This is a feature most people don’t know WPCode includes, and it’s useful for this specific use case. Before saving your snippet, scroll down to find the Device Type setting.

You have three options:

• Any Device – the snippet runs for all users regardless of what device they’re on (this is the default)
• Desktop Only – the restriction bypass applies only when users log in from a desktop browser
• Mobile Only – the bypass applies only on mobile devices

Most sites will leave this on Any Device.

But if your membership content is primarily desktop-based and you want to block multiple desktop sessions while being more relaxed about mobile, this is where you’d set that.

Step 5: Save and Activate Your Snippet

Once done, go below the WPCode snippet area to find the Insertion tab.

Here, navigate to “Insert Method,” where you can insert the code with Auto Insert or Shortcode. Then, use the “Location” dropdown to tell WPCode where the snippet should appear.

After this, it’s time to activate and save.

Here’s exactly what to do:

1. Scroll to the top of the snippet editor.
2. Toggle the snippet status from Inactive to Active.
3. Click Save Snippet.

Well done. The snippet goes live immediately. No page refresh needed. The logged-in user will now skip the restriction for anyone in your exemption list.

👉 Get started with WPCode here

How to Test Your Work

Don’t assume it’s working; verify it. This test takes two minutes and confirms the restriction is actually enforced.

Here’s exactly what to do:

1. Open your browser in incognito or private mode.
2. Go to your WordPress login page and log in with a regular user account (not an admin).
3. Without logging out, open your normal browser window.
4. Try to log in to the same account.

If you chose Block as your Login Logic, you should see the “This User’s Login Limit Has Been Reached” error.

If you choose Allow, your incognito session should end. Refresh it, and you’ll be redirected to the login screen.

If both sessions stay active, double-check two things: confirm Maximum Active Logins is set to 1 (not left at the default of 3), and make sure you clicked Save Changes after adjusting the settings.

⚠️Quick tip: Use a subscriber or customer account for this test, not your admin account, especially if you’ve set up a role exemption for administrators.

Common Issues and Quick Fixes

Problem: “The admin account is getting blocked too”

• What’s happening: The restriction applies to all user roles by default, including administrators.
• Quick fix: Add the role bypass snippet from Method 2, Step 3, and include ‘administrator’ in the $allowed_roles array. If you only need to exempt yourself, the user ID bypass from Step 2 is simpler.

My experience: I always add the admin exemption before enabling the restriction on any live site — saves an embarrassing support call.

Problem: “Users are getting logged out randomly, even without a second login”

• What’s happening: A caching plugin is serving stale session data, triggering false “second login” detections.
• Quick fix: Go back to Settings » General » Loggedin Settings and change the Cache Level to Advanced. Clear your cache after saving. If you’re not sure which speed optimization plugin is causing the conflict, Advanced mode covers most configurations.

My experience: This one trips up sites running aggressive full-page caching — WP Rocket in particular.

Problem: “The restriction isn’t working at all after activation”

• What’s happening: The plugin defaulted to 3 active logins, and you forgot to change it to 1.
• Quick fix: Go to Settings » General, confirm Maximum Active Logins is set to 1, and click Save Changes.

Problem: “Members are complaining they keep getting logged out for no reason”

• What’s happening: They’re sharing credentials between family members or devices — the Allow logic is replacing their session silently.
• Quick fix: Switch the login logic to Block so they see a clear error instead of a silent logout. Or use Force Logout to reset their sessions and explain the new policy.

I hope you found this tutorial on restricting users to one device useful. If anything is unclear, check out the commonly asked questions below.

FAQs: How to Restrict User Login to One Device in WordPress

Does this work with WooCommerce or membership plugins like MemberPress?

Yes. Loggedin hooks into WordPress’s core login system, so it works regardless of what membership or eCommerce plugin you’re running. WooCommerce customer accounts, MemberPress members, and any other role-based user system will all be affected by the restriction.

Will this lock out my administrators?

By default, yes the restriction applies to every role. If you want administrators (or any other role) exempt, add the role bypass snippet from Method 2, Step 3. You can run both snippets simultaneously, one for roles, one for individual users.

What happens to users who are already logged in when I enable this?

Existing sessions are not immediately ended when you activate the restriction. The limit only applies to new login attempts. If you want to enforce it retroactively, use the Force Logout feature from Method 1, Step 3, and enter the user IDs you want to reset.

Can I limit accounts to 2 or 3 devices instead of 1?

Yes. Just change the Maximum Active Logins value in Settings » General to whatever number you need. Setting it to 2 allows two simultaneous sessions per account. This is useful if you want to permit both a phone and a laptop, but nothing more.

Final Thoughts

Restricting logins to one device is one of those changes that pays for itself quickly on any site with paid accounts.

You set it once, and every new login after that is automatically enforced. No maintenance, manual checks, or chasing credential sharers.

The Loggedin plugin handles the core restriction in a few minutes.

WPCode gives you the flexibility to exempt the right people without touching a line of theme code.

Between the two, you get a setup that’s tight enough to protect your revenue and flexible enough not to frustrate your own team.

If you’re running a membership site or selling access to any kind of content, this is worth doing today.

Your user data will immediately become more reliable, and the revenue you’re losing to shared credentials will stop leaking.

For a deeper look at hardening your site beyond login controls, the complete WordPress security guide is a good next step.

Resource Hub: WordPress Security and User Management

These guides cover the next steps for locking down your site and managing your users properly.

• 9 Best WordPress Security Plugins Compared – a tested comparison of the top security plugins for WordPress, covering firewalls, malware scanning, and login protection.
• How To Limit Login Attempts in WordPress Step by Step – restrict how many times someone can try to log in before getting locked out. Pairs well with the single-device restriction.
• 8 Best Brute Force Plugins I Tested That Actually Block – protect your login page from automated password attacks.
• 7 Best WordPress CAPTCHA Plugins and Tools Compared – add an extra layer to your login form so bots can’t even attempt a login.
• How to Create an Online Course With WordPress – if you’re restricting logins to protect course content, here’s how to build and structure the course itself.
• The Complete WordPress Security Checklist – everything in one place: login security, file permissions, backups, and beyond.