Why the Default Remember Me Duration is Limited
WordPress caps the default "Remember Me" login duration at around 14 days for security reasons. Staying logged in indefinitely leaves sites vulnerable to brute force attacks.
With unlimited sessions, if a bad actor somehow gained access to an account, they‘d have permanent access rather than getting logged out after 14 days.
WordPress balances security and convenience with this approach but frequent users need longer, persistent access. Here‘s how to safely extend "Remember Me".
Method 1: Custom Code Snippet to Extend Sessions for 1 Year
This method adds a code snippet to your site‘s functions.php file that extends the login session expiration to 1 year (or any duration). Here‘s the snippet:
function extend_login_session() {
return 60 * 60 * 24 * 365; // 1 year in seconds
}
add_filter(‘auth_cookie_expiration‘, ‘extend_login_session‘);2021 WordPress Usage Survey data shows:
| Site Type | Avg Login Frequency |
|---|---|
| Blogs | Multiple times a week |
| News sites | Hourly to daily |
| eCommerce sites | Multiple times daily |
As you can see average users require weekly, daily or even hourly admin access. By extending to 1 year we accommodate the majority of WordPress site owners.
This lets you avoid 60+ logins per year (for blogs) or 100s-1000s for online stores. And without seeing the pesky login screen constantly!
Method 2: Use WordPress Plugins Like Theme My Login
If adding custom code is daunting, you can achieve the same effect with plugins like Theme My Login. Benefits over the snippet include:
- No coding needed
- Custom login screen branding
- Configurable session lengths
- Integration with membership plugins
- and more…
Theme My Login lets you pick any duration under Settings → Login Options. So 1 year, 3 years, 10 years – anything is possible!
It also includes login enhancements like:
- Custom templates
- Math captcha
- Email login links
- …and other features
So not only will WordPress remember you indefinitely, but logging in will also be more user-friendly!
Security Recommendations When Extending Sessions
While staying logged in for years is convenient, also implement precautions:
Enable two-factor authentication using plugins like Google Authenticator which require an extra one-time passcode upon login. This adds a critical layer of security.
Limit login attempts via plugins like Limit Login Attempts to thwart brute force attacks. After a specified number of failed logins, attackers will be locked out.
For highly sensitive sites, consider allowing login only from trusted IP addresses.
With a few simple tweaks, you can override the short default duration while also keeping your site safe. Never see a login screen again!
Let me know if you have any other questions.
