Skip to main content

wp user session

Overview

View and destroy active login sessions for any WordPress user. Essential for incident response when an account is compromised — force a logout without needing wp-admin access.

What It Does

wp user session manages the _wp_session_manager / wp_usermeta session data that WordPress stores for logged-in users. Destroying sessions immediately invalidates all active cookies for a user.

Subcommands

SubcommandDescription
wp user session list USERList all active sessions for a user
wp user session destroy USER [TOKEN]Destroy a specific session or all sessions

Basic Usage

List active sessions for a user

wp user session list admin --format=table

Output:

+------------------------------------------+------------------+-------------------------+----------+
| token                                    | ip               | login                   | expiry   |
+------------------------------------------+------------------+-------------------------+----------+
| a1b2c3d4e5f6...                          | 203.0.113.42     | 2026-01-14 08:32:00     | 48 hours |
+------------------------------------------+------------------+-------------------------+----------+

Destroy all sessions for a user (force logout)

wp user session destroy admin --all

Destroy a specific session by token

wp user session destroy admin a1b2c3d4e5f6...

Real-World Scenarios

Scenario 1: Security incident — force all admin sessions to expire

echo "Forcing logout of all admin accounts..."
for user in $(wp user list --role=administrator --field=user_login); do
  wp user session destroy "$user" --all
  echo "  Logged out: $user"
done
echo "Done. All admins must re-authenticate."

Scenario 2: After password reset, invalidate old sessions

wp user update john --user_pass='NewSecure!2026' --skip-email
wp user session destroy john --all
echo "Password updated and all sessions terminated for john."

Scenario 3: Audit active sessions across all users

for user in $(wp user list --field=user_login); do
  COUNT=$(wp user session list "$user" --format=count 2>/dev/null)
  if [[ "$COUNT" -gt 0 ]]; then
    echo "$user: $COUNT active session(s)"
  fi
done

Best Practices

  1. Always destroy sessions after password rotation on compromised accounts.
  2. Force session destruction before deleting a user to ensure clean termination.
  3. Audit sessions periodically for admin accounts as part of a security review.

Quick Reference

wp user session list <user>                # List sessions
wp user session destroy <user> --all       # Force logout all sessions
wp user session destroy <user> <token>     # Destroy one session

Next Steps