How it works

When a user hits the session limit in Block new login mode:

1. The new login is blocked
2. The user can request a one-time recovery email
3. The email contains a temporary link
4. The user follows the link to log out other active sessions
5. The user can try signing in again

When to use it

Enable this feature if:

• You want to reduce support tickets
• Your users often switch between devices
• You use strict login blocking but still want a self-service recovery path

Where to configure it

Go to the General tab and select Block new login.

You can then enable block mode option:

• Allow blocked users to recover access via email
• Email Cooldown
• Recovery Link Expiry

Recommended settings

For most sites, a good starting point is:

• Email cooldown: 5 minutes
• Recovery link expiry: 30 minutes

Important notes

• This feature is only relevant when Block new login is the active enforcement mode
• If another mode is active, blocked login recovery is not used
• Short cooldown values can increase email volume
• Long expiry times can make recovery links less secure

Best practices

• Use a clear email sender identity on your site
• Test the full recovery flow after setup
• Make sure your WordPress email delivery is reliable
• Keep the cooldown long enough to discourage repeated abuse

This helps reduce support requests and makes strict login policies easier to use in practice.

What users can do

Depending on your setup, users can:

• See their active sessions
• Identify the current device
• Review device and browser information
• Review IP address information when available
• Log out from other devices
• Remove a specific session

Automatic dashboard placement

If Enable automatic dashboard placement is enabled, SessionQuota Pro can automatically place session controls in supported account areas.

Supported integrations include:

• WooCommerce
• BuddyPress
• Ultimate Member
• MemberPress
• Paid Memberships Pro

Available shortcodes

Use shortcodes if you want to place session controls on your own custom pages.

Logout other sessions button

[sessionquota_logout_others]

Use this shortcode when you only want to display a button that logs the user out from other active devices.

Active sessions table

[sessionquota_sessions]

Use this shortcode when you want to show a session list with device and login details.

Session info summary

[sessionquota_session_info]

Use this shortcode when you want to show the user’s current session status or limit summary.

Common placement ideas

• Account dashboard
• Membership dashboard
• Customer account page
• Security settings page
• “My Devices” page

Best practices

• Place session controls in a page users can easily find
• Keep the wording clear, especially on membership or course platforms
• If you use Block new login, consider enabling email recovery as a fallback
• Test the layout on desktop and mobile account pages

The four rule levels

SessionQuota Pro resolves the effective limit in this order:

1. User-specific override
2. Membership-based limit
3. Role-based limit
4. Global default

The first matching level with a higher priority wins.

Global default

The global default is the basic session limit set in the General tab.

Use it when:

• You want one rule for the entire site
• You want a fallback for users without special rules

Role-based limits

Role-based limits let you assign different session allowances to different WordPress roles.

Examples:

• Subscribers: 1
• Customers: 2
• Editors: 3

If a user has multiple roles, SessionQuota Pro uses the highest limit among those roles.

Membership-based limits

Membership-based limits are available when a supported membership plugin is active.

Supported providers:

• MemberPress
• Paid Memberships Pro

Examples:

• Bronze plan: 1
• Silver plan: 2
• Gold plan: 4

If a user has multiple active memberships, SessionQuota Pro uses the highest limit among those memberships.

User-specific overrides

User-specific overrides let you assign a custom limit to an individual user from their profile screen.

Use this when:

• A VIP customer needs a higher limit
• A staff user needs more flexibility
• You want to make a one-off exception without changing global policy

How strict mode changes things

If you select Logout all other sessions, SessionQuota Pro forces a single active session and does not use the advanced limit stack.

That means:

• Role-based limits are not applied
• Membership-based limits are not applied
• User-specific overrides are preserved, but not used while strict mode is active

Example priority scenarios

Scenario 1: role limit beats global default

• Global default: 1
• Customer role: 2
• User has role Customer

Effective limit: 2

Scenario 2: membership limit beats role limit

• Global default: 1
• Customer role: 2
• Gold membership: 4

Effective limit: 4

Scenario 3: user override beats everything else

• Global default: 1
• Customer role: 2
• Gold membership: 4
• User override: 6

Effective limit: 6

Block new login

This mode prevents the new login from completing when the session limit has already been reached.

Best for

• Membership sites that want to reduce account sharing
• Sites that need a visible login block instead of silent session replacement
• Teams that want users to consciously free up an existing session

What the user experiences

• The new login attempt is blocked
• Existing sessions remain active
• You can optionally allow recovery by email so the user can log out other sessions

Good to know

• This mode works best when the limit is greater than 0
• It is the clearest option for discouraging credential sharing

Logout oldest session(s)

This mode allows the new login, then removes the oldest existing session or sessions needed to stay within the limit.

Best for

• Sites that want a smoother user experience
• Membership sites where users switch devices often
• Teams that want automatic cleanup instead of manual intervention

What the user experiences

• The new login succeeds
• The oldest active session is terminated automatically

Good to know

• This mode respects the configured session limit
• It is usually the most balanced choice between convenience and control

Logout all other sessions

This mode always keeps only the latest session active and logs out all other sessions after a successful login.

Best for

• Sites that require one active device per account
• High-control environments
• Membership sites with a strict anti-sharing policy

What the user experiences

• The new login succeeds
• All other active sessions are terminated

Good to know

• This mode acts like strict single-session mode
• Advanced limit rules are not used in this mode
• The global session limit is effectively ignored because only one session is allowed

Which mode should you choose?

Choose Block new login if:

• You want the strongest visible deterrent against account sharing

Choose Logout oldest session(s) if:

• You want less friction for legitimate users

Choose Logout all other sessions if:

• You want one session per account, every time

• General
• Advanced
• Tools
• Monitoring
• License

This page explains what each tab is for.

General

The General tab controls the main session policy for your site.

Main settings

• Session limit: the default number of concurrent sessions allowed per user
• Enforcement mode: what happens when a user reaches the limit
• Enable automatic dashboard placement: automatically adds frontend session controls to supported account areas

Block mode options

When Block new login is selected, you can also enable blocked login recovery by email.

Additional settings include:

• Email cooldown
• Recovery link expiry time

Advanced

The Advanced tab lets you define more specific rules than the global default.

What you can configure

• Role-based limits
• Membership-based limits
• Limit priority behavior

Supported membership providers

• MemberPress
• Paid Memberships Pro

Strict mode behavior

When Logout all other sessions is selected, SessionQuota Pro effectively enforces a single active session for everyone. In that mode, advanced policy controls are not used.

Tools

The Tools tab is for operational tasks.

Available tools

• Force logout a specific user
• Logout all sessions for all users
• Reset plugin settings
• Export settings
• Import settings
• Review common WP-CLI commands

Monitoring

The Monitoring tab is for security visibility and alerting.

What you can control

• Enable or disable logging
• Log IP addresses
• Log user agents
• Enable country detection
• Set log retention
• Configure blocked-login alerts
• Configure country-change alerts
• Show admin notices
• Send alert emails

License

The License tab is used to manage your product license.

Typical actions include:

• Entering your license key
• Activating the license
• Re-activating when needed
• Reviewing current status messages

Recommended setup flow

If you are configuring the plugin for the first time, work through the tabs in this order:

1. General
2. Advanced
3. Tools
4. Monitoring
5. License

Recommended first configuration

1. Go to Settings -> SessionQuota Pro.
2. Set a global session limit.
3. Choose an enforcement mode.
4. Save your settings.
5. Test the behavior with two browsers or devices.

Step 1: set the global session limit

The global session limit controls how many active sessions a user can have at once.

• 1 means one active session per user
• 2 means two active sessions per user
• 0 means unlimited sessions

For most sites, start with one of these:

• Membership or course site: 1
• Store or client portal: 1 or 2
• Team or editorial site: 2 or 3

Step 2: choose an enforcement mode

Pick the behavior you want when a user reaches the limit:

• Block new login: stop the new login attempt
• Logout oldest session(s): make room by removing the oldest session
• Logout all other sessions: keep only the latest session active

If you want the strictest setup, use Logout all other sessions.

Step 3: enable frontend session control if needed

If you want users to manage their own active sessions from the frontend:

1. Leave Enable automatic dashboard placement enabled.
2. Or place the available shortcodes on your own account page.

See Frontend Session Management for details.

Step 4: test the setup

Test with two different browsers or devices:

1. Sign in as the same user on Device A.
2. Sign in again on Device B.
3. Confirm the result matches your selected enforcement mode.

Step 5: add advanced rules if needed

After the basic setup works, you can add:

• Role-based limits
• Membership-based limits
• User-specific overrides
• Blocked login recovery by email
• Monitoring and alerts

Recommended rollout path

If you are unsure where to start, use this order:

1. Global limit
2. Enforcement mode
3. Frontend session controls
4. Advanced limits
5. Monitoring and alerts

Requirements

• WordPress 5.9 or later
• PHP 7.4 or later

Install from a ZIP file

1. In WordPress admin, go to Plugins -> Add New -> Upload Plugin.
2. Select the SessionQuota Pro ZIP file.
3. Click Install Now.
4. Click Activate Plugin.

Manual installation

1. Upload the sessionquota-pro folder to /wp-content/plugins/.
2. Go to Plugins in WordPress admin.
3. Activate SessionQuota Pro.

Important: do not run the free and pro editions together

Only one SessionQuota edition should be active at a time.

If the free edition is already active, deactivate it before using SessionQuota Pro. Running both editions together can create conflicts.

Where to configure the plugin

After activation, go to:

• Single site: Settings -> SessionQuota Pro
• Multisite: Network Admin -> Settings -> SessionQuota Pro

License activation

SessionQuota Pro includes a License tab in the settings screen.

Use it to:

• Enter your license key
• Activate the license
• Review activation status

First post-install checks

After activation, confirm the following:

• The plugin settings page opens without errors
• Your global session limit is set correctly
• Your preferred enforcement mode is selected
• Frontend integration is enabled if you want users to manage sessions from account pages

Multisite note

On multisite, SessionQuota Pro is designed for network-managed use and should be network-activated. See Multisite Guide for details.

This helps reduce repeated login email abuse, mail flooding against individual accounts, and excessive token churn for the same user.

How It Works

When a login email is requested, Magic Login keeps track of how many login emails have already been sent to that user during the last hour.

If the configured limit is reached, no additional login email will be sent until earlier requests fall outside the one-hour window.

Default Behavior

By default, Magic Login allows up to 60 login emails per user within one hour.

This default is intentionally generous so that normal usage is not affected, while still providing a safety guard against repeated abuse targeting the same account.

Important Notes

This safeguard is designed as a lightweight abuse protection layer.

It is not a replacement for:

• full request throttling
• CAPTCHA or bot protection
• WAF or edge-level rate limiting
• SMTP or mail provider delivery controls

If you need stronger request-level protection, additional controls at the site or infrastructure level are still recommended.

Configuration

You can override the default limit in wp-config.php using the following constant:

define( 'MAGIC_LOGIN_REQUEST_FAILSAFE_LIMIT', 50 );

Disable the Limit

To disable this safeguard entirely, set the limit to 0:

define( 'MAGIC_LOGIN_REQUEST_FAILSAFE_LIMIT', 0 );

Filter Override

Developers can also override the limit programmatically using the magic_login_request_failsafe_limit filter.

Example:

add_filter( 'magic_login_request_failsafe_limit', function( $limit, $user ) {
	return 50;
}, 10, 2 );

Token Security

Magic Login generates single-use, time-limited login tokens by default. You can adjust both the token validity window and TTL from the settings page. We recommend configuring these options carefully and enabling the IP checking feature where appropriate.

Each token is:

• Generated with a cryptographically secure random value
• Hashed using hash_hmac('sha256', $token, wp_salt()) before being stored
• Always stored together with a hashed version of the client’s IP address
• Stored in user meta and associated with a timestamp

The raw token is only shown to the user (in the link or code); the plugin only stores a hashed version for verification.

Token Formats by Channel

Depending on how you deliver the login, Magic Login uses different token formats:

• Email link (default): A long random token suitable for links
• SMS link: A shortened token to keep the login URL size reasonable (many SMS providers have ~300 character limits)
• SMS code: A 6-digit numeric PIN that users enter manually
• Email code: A 10-character, uppercase alphanumeric code (excluding ambiguous characters)

This keeps tokens usable in different channels while still being hard to guess.

Encryption & Decryption

Magic Login resolves its encryption key and salt in the following order:

1) Custom Plugin Constants (Recommended)

Define these in wp-config.php:

define( 'MAGIC_LOGIN_ENCRYPTION_KEY',  'your-long-random-secret-key' );
define( 'MAGIC_LOGIN_ENCRYPTION_SALT', 'your-long-random-secret-salt' );

If these are defined, they take priority.

2) WordPress Authentication Constants

If the plugin-specific constants are not defined, Magic Login falls back to:

LOGGED_IN_KEY
LOGGED_IN_SALT

This is safer than storing keys inside the database because WordPress expects these values to be defined in the configuration file.

3) Fallback Values (NOT SAFE FOR PRODUCTION)

If none of the above are defined, the plugin must fall back to:

this-is-not-a-secret-key
this-is-not-a-secret-salt

These are placeholders, intended for local development environments where encryption is still needed for functionality.

Why You Should Define Your Own Keys/Salts

Storing secrets inside the database is insecure.
Defining them in wp-config.php ensures:

• They are not stored in the same place as encrypted data
• They are harder for attackers to obtain
• They are consistent across deployments (if you’re using version control)
• They are compatible with multi-server environments

If you run a cluster/multi-server setup, make sure all nodes share the same values.

How to Generate Secure Keys

You can generate strong keys using:

Option 1 — WordPress Secret Key Generator

https://api.wordpress.org/secret-key/1.1/salt

Use any of the generated values for the plugin constants.

Option 2 — Command Line

openssl rand -base64 48

Example Recommended Setup (wp-config.php)

define( 'MAGIC_LOGIN_ENCRYPTION_KEY',  'hTDe2J39fS8H...random...94ksE' );
define( 'MAGIC_LOGIN_ENCRYPTION_SALT', 'pppew83hdns...random...W29saa' );

API Rate Limit

Magic Login PRO includes built-in API rate limiting starting from version 2.6.2. If you plan to expose or consume Magic Login’s API endpoints, we strongly recommend enabling rate limiting.

Why Rate Limiting Matters

Without rate limiting, an attacker could attempt:

• Enumeration attacks (e.g., checking which email addresses or phone numbers exist)
• Automated token generation abuse
• Flooding API endpoints to degrade performance

Rate limiting helps mitigate these risks by restricting how many requests a specific client (e.g., IP address) can make within a certain time window.

How It Works

When rate limiting is enabled:

• API requests are tracked using a hashed version of the client’s IP address for privacy
• The plugin counts the number of attempts within the configured interval
• Once the threshold is reached, further requests are temporarily blocked
• The block resets automatically after the cooldown period

No raw IP addresses are stored — only hashed identifiers, ensuring GDPR-friendly logging.

Server-Level Security Expectations

Magic Login does not configure HTTP security headers.
Headers such as:

• Content-Security-Policy
• X-Frame-Options
• Strict-Transport-Security

should be handled at the server level (nginx, Apache, CDN, Cloudflare).

This is the recommended approach because:

• These policies must apply site-wide
• They vary between hosting setups
• They often require per-server customization
• Plugin-based header injection can conflict with your host’s security rules

Using Magic Login PRO with Elementor

Magic Login PRO 2.6 introduces Elementor widgets for login and registration forms, making it easier to build custom authentication experiences without relying on shortcodes.

With these widgets, you can drag and drop Magic Login’s login and registration forms directly into your Elementor layouts, customize their appearance, and see live previews while editing.

Available Widgets

Magic Login PRO adds two widgets to Elementor:

1. Magic Login – Login Form
   Displays the passwordless login form where users can enter their email address to receive a magic link.
2. Magic Login – Registration Form
   Displays a registration form for new users, with support for collecting names, emails, and optional phone numbers (if SMS features are enabled).

How to Use the Widgets

1. Make sure you’re running Magic Login PRO 2.6 or later and have Elementor installed.
2. Open the page or template you want to edit with Elementor.
3. Search for “Magic Login” in the Elementor widgets panel.
4. Drag either the Login Form or Registration Form widget to your desired section.
5. Customize the settings in the Elementor sidebar:
   • Redirect URL: Choose where users are redirected after logging in.
   • Button Text: Customize the call-to-action.
   • Style Options: Adjust colors, typography, and spacing to match your design.

Notes

• These widgets function similarly to the existing shortcodes but provide direct visual editing and styling in Elementor.
• All shortcode options remain available if you prefer to use them manually.
• The forms are responsive and fully compatible with Elementor’s layout controls.

Troubleshooting

• Widgets not showing in Elementor?
  Ensure Magic Login PRO 2.6+ is active and Elementor is updated.
• Styling conflicts?
  Use Elementor’s styling panel to override defaults. You can also add custom CSS via Elementor’s advanced settings.