Skip to content

Instantly share code, notes, and snippets.

View dknauss's full-sized avatar

Dan Knauss dknauss

46 followers · 312 following
View GitHub Profile
@dknauss
dknauss / expire_idle_wp.html
Last active January 6, 2025 19:22
Expire Idle WordPress Sessions (JavaScript)
<script type="text/javascript">
var logoutUrl = '<?php echo htmlspecialchars_decode( wp_logout_url() ); ?>';
var timeout;
document.onload = resetTimeout;
document.onmousemove = resetTimeout;
document.onkeypress = resetTimeout;
function resetTimeout() {
clearTimeout( timeout );
@dknauss
dknauss / always_five_if_active.php
Last active December 30, 2024 17:04
Every time a WordPress Admin user refreshes a page, reset their session cookie expiration to five minutes.
add_filter('auth_cookie_expiration', function (int $default_duration, int $user_id) {
if (user_can($user_id, 'manage_options')) {
return 5 * MINUTE_IN_SECONDS;
}
return $default_duration;
}, 10, 2);
// Note: This filter expires sessions that are idle for more than five minutes and keeps active admin user sessions
// alive continuously as long as there has been activity (page loads/GET requests) within the last five minutes.
@dknauss
dknauss / psudo.php
Last active September 19, 2025 04:25
"Psudo" is a "pseudo sudo" mode for WordPress administrators: it requires reauthentication to perform sensitive admin tasks for a short window of time. (This overgrown gist is due to become a real plugin.)
<?php
/**
* == Psudo ==
*
* Plugin Name: Psudo
* Version: 1.0
* Author: Dan Knauss
* Contributors:
* Donate link: https://example.com/
* Tags: security, user management
@dknauss
dknauss / failed_login_401.php
Last active December 30, 2024 17:10
Return 401 error response for failed WordPress logins.
add_action( 'wp_login_failed', function ():void {
status_header( 401 ); // Generates PHP header("HTTP/1.1 401 Unauthorized");
wp_die( 'Your login attempt failed.' ); // Kill WP/PHP execution with WSOD + error message. (Optional)
});
// A 401 error for failed logins (rather than the default 200 error) may be useful to trigger securty tools watching the HTTP
// access log like fail2ban and mod_security. If fail2ban is set to block IPs with repeated login failures (401s), send it 401s
// for failed logins. Halting PHP execution then is useful if you want to suppress default 'helpful' error messages too.
// A more robust approach would also handle logging requests over XML-RPC and the REST API.
// See: https://github.com/amitrahav/WP-401-On-Failed-Login/blob/master/401-on-auth-fail-init.php
@dknauss
dknauss / expire_idle_sessions.php
Last active December 30, 2024 17:11
Expire idle WordPress user sessions
// Set a short expiration for the user's auth/session cookie.
add_filter ( 'auth_cookie_expiration', 'set_session_limit', 10, 3 );
function set_session_limit ( $expire, $user_id, $remember ) {
$remember = false; // Turn off the "Remember Me" extended session limit for all users.
return 300; // Set login session limit in seconds, 300 = 5 minutes
}
// Hook this function to the 'init' action to run on every page load.
add_action( 'init', 'if_idle_reset_cookie_expiration' );
function if_idle_reset_cookie_expiration() {
@dknauss
dknauss / set_session_limits.php
Created September 16, 2024 14:11
Set WordPress user session expiration (hard, upper) limits.
// Set session expiration limits in seconds.
add_filter('auth_cookie_expiration', 'session_expiration_filter', 99, 3);
function session_expiration_filter($seconds, $user_id, $remember){
//if "remember me" is checked;
if ( $remember ) {
//WP defaults to 2 weeks (14*24*60*60);
$expiration = 60; //UPDATE HERE;
} else {
//WP defaults to 48 hrs/2 days (2*24*60*60);
@dknauss
dknauss / session_check_intervals.php
Created September 16, 2024 14:11
Set Wordpress auth/session cookie check interval and heartbeat interval.
// Set the authentication check interval in seconds.
add_filter( 'wp_auth_check_interval', 'auth_check_interval_filter', 99, 1 );
function auth_check_interval_filter ( $interval ) {
$interval = 1;
return $interval;
}
// Set the heartbeat interval in seconds.
function wb_set_heartbeat_time_interval($settings) {
$settings['interval']=1;
return $settings;
@dknauss
dknauss / log_wp_login.php
Last active December 30, 2024 16:57
Log time() WordPress user session started by wp_login(); and ended with wp_logout();
// Log session login time when wp_login() is fired.
function user_session_start( $user_login, $user ) {
update_user_meta( $user->ID, 'last_login', time() );
return $user_login;
}
add_action( 'wp_login', 'user_session_start', 10, 2 );
@dknauss
dknauss / duplicate_page_or_post.php
Created August 21, 2024 22:27
Duplicate WordPress Pages and Posts
$current_user = wp_get_current_user();
$new_post_author = $current_user->ID;
/*
* if post data exists, create the post duplicate
*/
if (isset( $post ) && $post != null) {
/*
* new post data array
@dknauss
dknauss / wp-disable-login-form.php
Last active February 9, 2025 21:48 — forked from daggerhart/wp-disable-login-form.php
The WordPress login form never loads unless a "secret" key-value pair exists as a URL parameter.
add_filter( 'wp_login_errors', 'login_form_lockdown', 90, 2 );
/**
* This code locks down the WordPress login form by hijacking the page via the 'wp_login_errors' hook and only executing the
* login header, footer, and necessary closing tags unless a URL parameter (defined in the function) is included in the request.
* If the parameter exists, the full login form is returned in the error object.
*
* Without the "secret" key-value pair passed as a URL parameter, all login pages will be blank except for any HTML/CSS loaded
* prior to wp_login_errors, such as the default wordpress.org-linked WordPress logo above the (absent) login form.
*