{"id":332849,"date":"2026-07-07T22:12:41","date_gmt":"2026-07-07T22:12:41","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/vegestic-users-login-limit\/"},"modified":"2026-07-07T22:12:14","modified_gmt":"2026-07-07T22:12:14","slug":"vegestic-users-login-limit","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/vegestic-users-login-limit\/","author":23523330,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.0","stable_tag":"1.0.0","tested":"7.0","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"Vegestic - Users Login Limit","header_author":"Vegestic Solutions (Aqif Aziz)","header_description":"Control concurrent login sessions per user. Set per-account session limits, monitor login history, track IP addresses and locations, and force-logout devices \u2014 all from your WordPress dashboard.","assets_banners_color":"","last_updated":"2026-07-07 22:12:14","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/wordpress.org\/plugins\/vegestic-users-login-limit\/","header_author_uri":"https:\/\/profiles.wordpress.org\/vegesticsolutions\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":32,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"vegesticsolutions","date":"2026-07-07 22:12:14"}},"upgrade_notice":{"1.0.0":"<p>Initial release.<\/p>"},"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Dashboard overview showing managed users and active sessions.","2":"Block Users page \u2014 add users and set individual session limits.","3":"User Details page \u2014 view sessions, login history, IP and location data.","4":"Login Message editor \u2014 customize the error shown to blocked users."}},"plugin_section":[],"plugin_tags":[4553,602,600,30471,2461],"plugin_category":[38,54],"plugin_contributors":[270526],"plugin_business_model":[],"class_list":["post-332849","plugin","type-plugin","status-publish","hentry","plugin_tags-concurrent-login","plugin_tags-login","plugin_tags-security","plugin_tags-sessions","plugin_tags-user-management","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-vegesticsolutions","plugin_committers-vegesticsolutions"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/vegestic-users-login-limit.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>Vegestic - Users Login Limit<\/strong> lets WordPress administrators control how many simultaneous login sessions each user can have. This is useful for shared accounts, subscription sites, membership sites, and any site where you want to prevent credential sharing.<\/p>\n\n<h4>Key Features<\/h4>\n\n<ul>\n<li><strong>Session Limiting<\/strong> \u2014 Set a maximum number of concurrent sessions per user. When the limit is reached, new login attempts are blocked until an existing session ends.<\/li>\n<li><strong>Login History<\/strong> \u2014 Track up to 50 login and blocked-attempt records per user, with timestamps and status.<\/li>\n<li><strong>IP Address Logging<\/strong> \u2014 Automatically records the IP address on each login event.<\/li>\n<li><strong>Location Detection<\/strong> \u2014 Resolves the approximate geographic location from the IP address using free public geo APIs. Results are cached to minimize external requests.<\/li>\n<li><strong>Active Sessions View<\/strong> \u2014 See all currently active session tokens for a managed user with login time and device information.<\/li>\n<li><strong>Force Logout<\/strong> \u2014 Destroy all active sessions for a user with one click, right from the dashboard.<\/li>\n<li><strong>Custom Block Message<\/strong> \u2014 Edit the error message shown on the login page when a user exceeds their session limit.<\/li>\n<li><strong>CSV Export<\/strong> \u2014 Export a user's full login history to a CSV file from the User Details page.<\/li>\n<li><strong>Unlimited Protected Users<\/strong> \u2014 Add as many users to the block list as you need.<\/li>\n<li><strong>GDPR \/ Privacy Ready<\/strong> \u2014 Integrates with WordPress's built-in privacy data exporter and data eraser tools.<\/li>\n<\/ul>\n\n<h4>How It Works<\/h4>\n\n<ol>\n<li>Go to <strong>Vegestic - Users Login Limit \u2192 Block Users<\/strong> and add a user.<\/li>\n<li>Set their session limit (e.g., 1 for a single device, 2 for two devices).<\/li>\n<li>Enable the limit for that user.<\/li>\n<li>From that point on, when the user tries to log in from more devices than their limit allows, they will see a block message and be prevented from creating a new session.<\/li>\n<\/ol>\n\n<h4>Privacy<\/h4>\n\n<p>This plugin records the following data for users on the protected list, stored in WordPress user meta (<code>wpll_login_meta<\/code>):<\/p>\n\n<ul>\n<li>Login timestamp<\/li>\n<li>IP address of each login<\/li>\n<li>Approximate geographic location derived from the IP (via free public geo-IP APIs)<\/li>\n<li>Browser user agent string<\/li>\n<li>Session token identifiers<\/li>\n<\/ul>\n\n<p><strong>No data is sent to third-party services<\/strong> unless you are using the geo-location feature, which makes outbound HTTP requests to free public APIs (ipapi.co, ipwho.is, freeipapi.com, ip-api.com) to look up an IP address's approximate location. These requests include the IP address being resolved and your site's URL as a User-Agent string, consistent with normal API usage.<\/p>\n\n<p>Location results are cached as WordPress transients for 12 hours to minimise external API calls.<\/p>\n\n<pre><code>add_filter( 'wpll_geo_api_providers', '__return_empty_array' );\n<\/code><\/pre>\n\n<p>Users can request deletion of their session data through WordPress's built-in privacy tools (<strong>Tools \u2192 Erase Personal Data<\/strong>), or you can delete it manually via <strong>Users \u2192 Edit User<\/strong>.<\/p>\n\n<h3>External Services<\/h3>\n\n<p>This plugin connects to free public IP geolocation APIs to resolve the approximate geographic location of a user's IP address. This occurs only when a user on the protected list logs in or is blocked from logging in. No requests are made to any external service for users not on the protected list, or if location detection is disabled.<\/p>\n\n<p>The following data is sent to these services: the connecting user's IP address and your site's URL (included as part of the standard User-Agent header, consistent with normal WordPress HTTP API usage).<\/p>\n\n<h4>ipapi.co<\/h4>\n\n<p>Used for IP geolocation lookups.\n* Privacy Policy: https:\/\/ipapi.co\/privacy\/\n* Terms of Service: https:\/\/ipapi.co\/terms\/<\/p>\n\n<h4>ipwho.is<\/h4>\n\n<p>Used as a fallback IP geolocation provider.\n* Privacy Policy: https:\/\/ipwhois.io\/privacy\n* Terms of Service: https:\/\/ipwhois.io\/terms<\/p>\n\n<h4>freeipapi.com<\/h4>\n\n<p>Used as a fallback IP geolocation provider.\n* Privacy Policy: https:\/\/freeipapi.com\/privacy\n* Terms of Service: https:\/\/freeipapi.com\/terms<\/p>\n\n<h4>ip-api.com<\/h4>\n\n<p>Used as a fallback IP geolocation provider.\n* Privacy Policy: https:\/\/ip-api.com\/docs\/legal\n* Terms of Service: https:\/\/ip-api.com\/docs\/legal<\/p>\n\n<p>Location results are cached as WordPress transients for 12 hours to minimise external API calls. Only valid, publicly routable IP addresses trigger an external lookup \u2014 private\/local IPs are identified as \"Local Network\" without any outbound request.<\/p>\n\n<p>You can disable all location lookups entirely by adding this to your theme's <code>functions.php<\/code> or a custom plugin:<\/p>\n\n<pre><code>add_filter( 'wpll_geo_api_providers', '__return_empty_array' );\n<\/code><\/pre>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>vegestic-users-login-limit<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory, or install directly via the WordPress admin Plugins screen.<\/li>\n<li>Activate the plugin through the <strong>Plugins<\/strong> screen in WordPress.<\/li>\n<li>Go to <strong>Vegestic - Users Login Limit \u2192 Block Users<\/strong> to start adding users.<\/li>\n<li>Optionally edit the login block message at <strong>Vegestic - Users Login Limit \u2192 Login Message<\/strong>.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20work%20with%20any%20wordpress%20theme%3F\"><h3>Does this work with any WordPress theme?<\/h3><\/dt>\n<dd><p>Yes. The plugin works at the authentication level and is entirely theme-independent.<\/p><\/dd>\n<dt id=\"will%20this%20log%20out%20users%20who%20are%20already%20logged%20in%3F\"><h3>Will this log out users who are already logged in?<\/h3><\/dt>\n<dd><p>No. Existing sessions are not affected when you add a user or lower their limit. Only new login attempts after the limit is set are blocked. Use the <strong>Logout All<\/strong> button to clear existing sessions manually.<\/p><\/dd>\n<dt id=\"can%20i%20disable%20location%20tracking%3F\"><h3>Can I disable location tracking?<\/h3><\/dt>\n<dd><p>Yes. Add this to your theme's <code>functions.php<\/code> or a custom plugin:\n    add_filter( 'wpll_geo_api_providers', '__return_empty_array' );<\/p><\/dd>\n<dt id=\"is%20user%20data%20exported%20for%20gdpr%20requests%3F\"><h3>Is user data exported for GDPR requests?<\/h3><\/dt>\n<dd><p>Yes. The plugin registers with WordPress's privacy tools. Administrators can export or erase a user's login data via <strong>Tools \u2192 Export Personal Data<\/strong> and <strong>Tools \u2192 Erase Personal Data<\/strong>.<\/p><\/dd>\n<dt id=\"what%20happens%20if%20a%20user%20is%20at%20their%20limit%20and%20tries%20to%20log%20in%3F\"><h3>What happens if a user is at their limit and tries to log in?<\/h3><\/dt>\n<dd><p>They see the custom block message on the login screen and their login is rejected. The blocked attempt is logged in their history.<\/p><\/dd>\n<dt id=\"can%20i%20change%20the%20session%20limit%20per%20user%3F\"><h3>Can I change the session limit per user?<\/h3><\/dt>\n<dd><p>Yes. Each user in the block list has their own configurable session limit. You can update it from the Block Users table or from the User Details page.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Security: Geo-location transients are now only created for valid, publicly routable IP addresses. Private, reserved, and localhost IP addresses are resolved as \"Local Network\" without writing a transient, preventing any transient-flooding vector via spoofed request headers.<\/li>\n<li>Improvement: Reduced geo-location transient lifetime from 24 hours to 12 hours, limiting stale cache exposure while preserving the lookup-reduction benefit.<\/li>\n<li>Compliance: Updated ipwho.is and freeipapi.com third-party legal URLs to their current canonical forms in the readme.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial public release.<\/li>\n<li>Session limiting per user with configurable limit.<\/li>\n<li>Login history tracking (up to 50 records per user).<\/li>\n<li>IP address logging on each login event.<\/li>\n<li>Location detection via free public geo-IP APIs (ipapi.co, ipwho.is, freeipapi.com, ip-api.com).<\/li>\n<li>Active sessions view with force-logout option.<\/li>\n<li>Custom login block message editor.<\/li>\n<li>CSV export of login history.<\/li>\n<li>GDPR-compliant privacy data exporter and eraser.<\/li>\n<li>Full i18n support with translatable strings.<\/li>\n<\/ul>","raw_excerpt":"Control concurrent login sessions per user \u2014 set limits, track login history, and force logout from your dashboard.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/332849","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=332849"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/vegesticsolutions"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=332849"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=332849"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=332849"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=332849"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=332849"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=332849"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}