How to Properly Force Logout for All Users in WordPress

Every now and then, there is usually a need to log out all users of your WordPress website. There are a number of reasons why you may need to have all users logged out.

One of the primary reason might be to fixed a hacked or compromised WordPress website. If your website is hacked using a brute-force email attack, it might necessary to force all users out and them force them to log in again. If this is a situation that you find yourself in then this tutorial is for you.

The above scenario is just one of the instances that we need to make sure we have a clean slate for fixing a hacked website. There are plenty other reasons why you would want to log out all users of your website.

Understanding how WordPress User Login System Works

In this section, we will be going over briefly how the login system for WordPress works. We will just be doing a very high-level concept of how users are logged in and how they stay logged in.

WordPress, like any traditional LAMP – Linux Apache, MySQL and PHP application, uses HTTP sessions to maintain state. What this means is that since HTTP is stateless, the application needs a way to identify the user’s active interactions with the website.

As such, for every user, once they are logged in, a unique cookie is used to identify a users session. To make it possible to identify users, and actions on the website, every request the users make to the server contain a cookie which is used to identify the user.

On the server side, the PHP code utilizes a combination of encryption logic to decode the cookie and identify the user session. One of the parameters that the code uses is what is called an encryption salt! This allows as to form unique keys for our users.

Resetting the WordPress Salt to Force logout

As described above, since WordPress uses a salt to help hash, encrypt and decrypt the cookie, changing the value of the salt instantly invalidates all existing session with the website, making it required to log into the website.

To change this, you need to visit the wp-config.php and identify the lines that look like the snippet below:

define('AUTH_KEY',         'K2#m<|[UO==4Nv c+Ox+^NH.H*6DmQRJntnj|SwKg)>,>O-z/IeRr?>5lmx`Hf:');
define('SECURE_AUTH_KEY',  '-Qf(}6G(zB`(D*)]fe;iEwM]PU>BY:$Ni6][email protected]<[email protected]');
define('LOGGED_IN_KEY',    '6R6:bur.^!Q1K-/H!$]A$3JaaO]r|B&zu~{-*})|+C|');
define('NONCE_KEY',        'LM7}+||^qoISh4#q_ ST%x0vke+TQD(^$W{lVQ_TyV!%,N++H)4+>uSZl6Z%W[3');
define('AUTH_SALT',        'PpS;[email protected]:=,RC;&kkNXNkP -v=Lr;ghGft:?WV5vA-lje|h{A19Tfzq$[');
define('SECURE_AUTH_SALT', '+H.u}x4u<6-^HY+/z');

We fetch a new version of all these hash keys from the following URL:

At this point, you just need to replace the values of the fields in the wp-config.php with the values displayed on the website. Once this is accomplished, all existing cookies which are used to identify logged in users on your WordPress site will be immediately invalidated causing users to log in.

Viola! We hope you have enjoyed reading this article about how to forcefully log out all users from your website. If you have every needed to perform this action on the website, let us know your experience with it.