Title: Vegestic &#8211; Users Login Limit
Author: vegesticsolutions (Aqif Aziz)
Published: <strong>July 7, 2026</strong>
Last modified: July 7, 2026

---

Search plugins

![](https://s.w.org/plugins/geopattern-icon/vegestic-users-login-limit.svg)

# Vegestic – Users Login Limit

 By [vegesticsolutions (Aqif Aziz)](https://profiles.wordpress.org/vegesticsolutions/)

[Download](https://downloads.wordpress.org/plugin/vegestic-users-login-limit.1.0.0.zip)

 * [Details](https://wordpress.org/plugins/vegestic-users-login-limit/#description)
 * [Reviews](https://wordpress.org/plugins/vegestic-users-login-limit/#reviews)
 *  [Installation](https://wordpress.org/plugins/vegestic-users-login-limit/#installation)
 * [Development](https://wordpress.org/plugins/vegestic-users-login-limit/#developers)

 [Support](https://wordpress.org/support/plugin/vegestic-users-login-limit/)

## Description

**Vegestic – Users Login Limit** lets WordPress administrators control how many 
simultaneous login sessions each user can have. This is useful for shared accounts,
subscription sites, membership sites, and any site where you want to prevent credential
sharing.

#### Key Features

 * **Session Limiting** — Set a maximum number of concurrent sessions per user. 
   When the limit is reached, new login attempts are blocked until an existing session
   ends.
 * **Login History** — Track up to 50 login and blocked-attempt records per user,
   with timestamps and status.
 * **IP Address Logging** — Automatically records the IP address on each login event.
 * **Location Detection** — Resolves the approximate geographic location from the
   IP address using free public geo APIs. Results are cached to minimize external
   requests.
 * **Active Sessions View** — See all currently active session tokens for a managed
   user with login time and device information.
 * **Force Logout** — Destroy all active sessions for a user with one click, right
   from the dashboard.
 * **Custom Block Message** — Edit the error message shown on the login page when
   a user exceeds their session limit.
 * **CSV Export** — Export a user’s full login history to a CSV file from the User
   Details page.
 * **Unlimited Protected Users** — Add as many users to the block list as you need.
 * **GDPR / Privacy Ready** — Integrates with WordPress’s built-in privacy data 
   exporter and data eraser tools.

#### How It Works

 1. Go to **Vegestic – Users Login Limit  Block Users** and add a user.
 2. Set their session limit (e.g., 1 for a single device, 2 for two devices).
 3. Enable the limit for that user.
 4. From that point on, when the user tries to log in from more devices than their 
    limit allows, they will see a block message and be prevented from creating a new
    session.

#### Privacy

This plugin records the following data for users on the protected list, stored in
WordPress user meta (`wpll_login_meta`):

 * Login timestamp
 * IP address of each login
 * Approximate geographic location derived from the IP (via free public geo-IP APIs)
 * Browser user agent string
 * Session token identifiers

**No data is sent to third-party services** unless you are using the geo-location
feature, which makes outbound HTTP requests to free public APIs (ipapi.co, ipwho.
is, freeipapi.com, ip-api.com) to look up an IP address’s approximate location. 
These requests include the IP address being resolved and your site’s URL as a User-
Agent string, consistent with normal API usage.

Location results are cached as WordPress transients for 12 hours to minimise external
API calls.

    ```
    add_filter( 'wpll_geo_api_providers', '__return_empty_array' );
    ```

Users can request deletion of their session data through WordPress’s built-in privacy
tools (**Tools  Erase Personal Data**), or you can delete it manually via **Users
Edit User**.

### External Services

This plugin connects to free public IP geolocation APIs to resolve the approximate
geographic location of a user’s IP address. This occurs only when a user on the 
protected list logs in or is blocked from logging in. No requests are made to any
external service for users not on the protected list, or if location detection is
disabled.

The following data is sent to these services: the connecting user’s IP address and
your site’s URL (included as part of the standard User-Agent header, consistent 
with normal WordPress HTTP API usage).

#### ipapi.co

Used for IP geolocation lookups.
 * Privacy Policy: https://ipapi.co/privacy/ * 
Terms of Service: https://ipapi.co/terms/

#### ipwho.is

Used as a fallback IP geolocation provider.
 * Privacy Policy: https://ipwhois.io/
privacy * Terms of Service: https://ipwhois.io/terms

#### freeipapi.com

Used as a fallback IP geolocation provider.
 * Privacy Policy: https://freeipapi.
com/privacy * Terms of Service: https://freeipapi.com/terms

#### ip-api.com

Used as a fallback IP geolocation provider.
 * Privacy Policy: https://ip-api.com/
docs/legal * Terms of Service: https://ip-api.com/docs/legal

Location results are cached as WordPress transients for 12 hours to minimise external
API calls. Only valid, publicly routable IP addresses trigger an external lookup—
private/local IPs are identified as “Local Network” without any outbound request.

You can disable all location lookups entirely by adding this to your theme’s `functions.
php` or a custom plugin:

    ```
    add_filter( 'wpll_geo_api_providers', '__return_empty_array' );
    ```

## Installation

 1. Upload the `vegestic-users-login-limit` folder to the `/wp-content/plugins/` directory,
    or install directly via the WordPress admin Plugins screen.
 2. Activate the plugin through the **Plugins** screen in WordPress.
 3. Go to **Vegestic – Users Login Limit  Block Users** to start adding users.
 4. Optionally edit the login block message at **Vegestic – Users Login Limit  Login
    Message**.

## FAQ

### Does this work with any WordPress theme?

Yes. The plugin works at the authentication level and is entirely theme-independent.

### Will this log out users who are already logged in?

No. Existing sessions are not affected when you add a user or lower their limit.
Only new login attempts after the limit is set are blocked. Use the **Logout All**
button to clear existing sessions manually.

### Can I disable location tracking?

Yes. Add this to your theme’s `functions.php` or a custom plugin:
 add_filter( ‘
wpll_geo_api_providers’, ‘__return_empty_array’ );

### Is user data exported for GDPR requests?

Yes. The plugin registers with WordPress’s privacy tools. Administrators can export
or erase a user’s login data via **Tools  Export Personal Data** and **Tools  Erase
Personal Data**.

### What happens if a user is at their limit and tries to log in?

They see the custom block message on the login screen and their login is rejected.
The blocked attempt is logged in their history.

### Can I change the session limit per user?

Yes. Each user in the block list has their own configurable session limit. You can
update it from the Block Users table or from the User Details page.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Vegestic – Users Login Limit” is open source software. The following people have
contributed to this plugin.

Contributors

 *   [ vegesticsolutions (Aqif Aziz) ](https://profiles.wordpress.org/vegesticsolutions/)

[Translate “Vegestic – Users Login Limit” into your language.](https://translate.wordpress.org/projects/wp-plugins/vegestic-users-login-limit)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/vegestic-users-login-limit/),
check out the [SVN repository](https://plugins.svn.wordpress.org/vegestic-users-login-limit/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/vegestic-users-login-limit/)
by [RSS](https://plugins.trac.wordpress.org/log/vegestic-users-login-limit/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.1

 * Security: Geo-location transients are now only created for valid, publicly routable
   IP addresses. Private, reserved, and localhost IP addresses are resolved as “
   Local Network” without writing a transient, preventing any transient-flooding
   vector via spoofed request headers.
 * Improvement: Reduced geo-location transient lifetime from 24 hours to 12 hours,
   limiting stale cache exposure while preserving the lookup-reduction benefit.
 * Compliance: Updated ipwho.is and freeipapi.com third-party legal URLs to their
   current canonical forms in the readme.

#### 1.0.0

 * Initial public release.
 * Session limiting per user with configurable limit.
 * Login history tracking (up to 50 records per user).
 * IP address logging on each login event.
 * Location detection via free public geo-IP APIs (ipapi.co, ipwho.is, freeipapi.
   com, ip-api.com).
 * Active sessions view with force-logout option.
 * Custom login block message editor.
 * CSV export of login history.
 * GDPR-compliant privacy data exporter and eraser.
 * Full i18n support with translatable strings.

## Meta

 *  Version **1.0.0**
 *  Last updated **7 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [concurrent login](https://wordpress.org/plugins/tags/concurrent-login/)[login](https://wordpress.org/plugins/tags/login/)
   [security](https://wordpress.org/plugins/tags/security/)[sessions](https://wordpress.org/plugins/tags/sessions/)
   [user management](https://wordpress.org/plugins/tags/user-management/)
 *  [Advanced View](https://wordpress.org/plugins/vegestic-users-login-limit/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/vegestic-users-login-limit/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/vegestic-users-login-limit/reviews/)

## Contributors

 *   [ vegesticsolutions (Aqif Aziz) ](https://profiles.wordpress.org/vegesticsolutions/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/vegestic-users-login-limit/)