As an enterprise WordPress engineer with over a decade of experience securing high-traffic sites, one of the most common login vulnerabilities I still find is the "Remember Me" checkbox. This little option can have dangerously big security implications, allowing long-term access if a device falls into the wrong hands.
In fact, according to statistics from Wordfence, 24% of hacked WordPress sites are compromised via weak or reused passwords leading to admin access. The "Remember Me" checkbox takes the password vulnerability problem to another level.
That‘s why proper credential hygiene and limiting persistent access is critical for any website, especially WordPress sites. In this comprehensive guide, I’ll show you exactly how and why to remove “Remember Me” from WordPress while enhancing your overall login security in 2023.
Remember Me: Convenience Over Security
Before jumping straight to removal solutions, let me outline a bit more background on why this feature can be risky:
| ✅Pros Convenience not having to login each session | ❌️Cons Security risk if device is compromised Access from public/shared computers User sessions left open unexpectedly |
The above comparison shows the convenience factor of “Remember Me” certainly doesn’t outweigh the potential security issues of persistent login access on devices that may be public, shared, lost or stolen.
According to survey data, 61% of breaches happen due to exposed user credentials. Limiting credential lifespan is key for any security approach in 2023.
Now let’s explore your options for removing this risky feature.
Method #1: Remember Me Controls Plugin (Recommended)
The fastest and easiest way to disable “Remember Me” is using the Remember Me Controls plugin. With over 70,000 active installs, this plugin has been thoroughly security tested and validated by the WordPress community over time.
Pros
- Requires just basic WordPress skills
- No need to edit core files
- Active support from plugin author
- Seamless uninstall if needed
Cons
- Another plugin added to your site
- Needs to stay updated regularly
Step-by-Step Install Guide
- In WP Admin > Plugins > Add New
- Search “Remember Me Controls”
- Install the plugin & activate.
- Navigate to Settings > Remember Me
- Check “Disable Remember Me” & save changes.
That’s all it takes to completely disable the option using this handy plugin!
*Fig 1. Disabling Remember Me via the plugin settings.
As you can see, just a few clicks removes the capability for persistently remembered sessions—locking down WordPress login to only allow access per session.
Next, let’s look at removing via code for advanced users.
Method #2: Removing from wp-login.php File
For developers that want to bake the solution directly into the WordPress codebase without adding another plugin, you can edit the core wp-login.php file directly.
However, be extremely careful with this method and always create a backup first since editing WordPress core files can cause issues if errors are introduced.
Here is what the code solution would look like to eliminate Remember Me:
Step 1. Use FTP/SFTP to access the WordPress core files.
Step 2. Navigate to yourdomain.com/wp-login.php
Step 3. Open the file in a text editor like Notepad++ and find this line:
<p class="forgetmenot">
<label for="rememberme">
<input name="rememberme" type="checkbox" id="rememberme" value="forever" <?php checked( $rememberme ); ?> />
<?php esc_html_e(‘Remember Me‘); ?>
</label>
</p>Step 4. Delete that entire line of code.
Step 5. Save changes and upload the updated wp-login.php file back to your server via FTP/SFTP.
That’s all you need to completely remove the “Remember Me” parameter by modifying the login page code directly.
Pros
- No additional plugin required
- Directly baked into WordPress core
Cons
- Risk breaking login page if code errors
- Manual updates required if WordPress core updates
- Advanced editing required
In most cases, I‘d strongly advise the plugin approach. But for developers managing many sites, removing via code may make sense for scaled management once tested.
Final Thoughts | Securing WordPress Login in 2023
As WordPress architects, we have to weigh the cart of convenience against the horse of security. Persistent login sessions may seem harmless, but put users and infrastructure at very real risk in 2023. Minimizing attack surfaces by removing “Remember Me” is table stakes to fortify WordPress credentials.
In this guide, I’ve shown you how to expertly eliminate that vulnerability using either a handy plugin or custom code edit that prevents the checkbox from ever appearing.
Now over a decade into my WordPress security career, I can say vigilance against credential threats remains one of the most vital best practices. Limiting login lifespan shrinks opportunity for bad actors, and forces users to enter credentials each session—improving accountability.
Want even more WordPress security advice tailored for 2023? Be sure to subscribe to my newsletter for pro tips each month on locking your site down tight. If you found this guide helpful, please share and leave any feedback! Let’s continue raising awareness on securing our websites from looming threats around every corner on the web.
