WordPress Plugin: Cookie Timeout

My wife called me to tell me that people could reach her site’s admin page (specifically her mother), and wanted me to check her site. I told her that she probably forgot to logout, and I was right. The default expiration for the login cookie is one year. I just wrote a small plugin to change that value to something more reasonable.

Version History:

  • 0.60 Compatible with WordPress 2.7. (2008-12-11)
  • 0.50 Compatible with WordPress 2.5. (2008-03-29)
  • 0.42 Fixed another redeclare error and the plugin can now be run from sub-directories. (2008-03-22)
  • 0.40 Added option to ignore the “Remember me” checkbox on the login page. (2006-06-13)
  • 0.36 Added nonce security. (2006-06-03)
  • 0.35 Fixed “Cannot redeclare wp_setcookie()” error when the plugin is activated. (2006-04-10)
  • 0.31 Compatible with WP 2.01. Simply some internal housekeeping on their part. (2006-01-31)
  • 0.30 Compatible with WP 2.0. Now respects the new “Remember me” checkbox on login (2005-12-21)
  • 0.20 Added ability to expire the cookie when the current browser session is closed (2005-06-27)
  • 0.11 Added message for the need to logoff after making changes (2005-05-23)
  • 0.10 Initial version

NOTE: If you want this plugin’s values to work on password protected posts you have to replace the wp-pass.php file in the root of your installation with the following version:

Join the Conversation


  1. Thanks for the great plugin. Does It work with WP 1.5? I use WP 1.5 and don’t want to upgrade until WP 1.5.2 comes out so…?

    I guess It might work with 1.5. If It doesn’t, ohh well.

  2. It would be even better to expire at the end of a browser session. To make this happen, set the timeout to NULL.

  3. Brilliant, this is exactly what I want. I can’t believe that the default wordpress installation does not include something like this…

  4. The plug-in works great, but doesn’t address the cookie written for password protected posts. It has a 10 day default life – a problem if you use public computers. I’ve edited the wp-pass.php file to change line reading “setcookie(‘wp-postpass_’ . COOKIEHASH, $_POST[‘post_password’], NULL /* time() + 864000 */, COOKIEPATH);”, changing 864000 to 0. This clears the password cookie after closing the browser session, but not at logout from WP. Any chance this cookie can be included in your plug-in?

  5. I think that “THIS PLUGIN ROCKS !!” would be the appropriate sentence I will use talking about your idea…


  6. Thanks for this plugin. I was having the exact same problem that you describe (logged in on my mom’s computer).

    So, when I activated the cookie and changed the timeout, WP told me that I had to log out to make this work properly. How does that work for my mom’s computer–i.e. on a computer that has the old cookie set? Will she have to log out before her cookie expires, or will she be logged out automatically the next time she comes to my WP site?

    I guess what I’m asking is does this change affect previously made cookies by WP, or does it only affect new cookies made after the installation of the plugin?

  7. Thanks, Moby

    What kills me about the WP cookie is that it doesn’t matter if the password has been changed; the cookie still thinks that the original user has rights to log in. So, if they never log out, there is no way to take away their full-access to the system for OVER A YEAR!

    This seems like it could be a big secuirty issue for somebody who didn’t know enough to log out.

    I guess that is why we should all install, and use, your great plugin from the beginning!

  8. I try to install this plugin in version 1.5.2 and it look like is doesn’t work. Is this version support 1.5.2 or I did something wrong.

  9. Yes, it works in 1.5.2. That’s the version I’m using. Are you sure you activated the plugin and did you changed any of the plugin’s options?

  10. I installed plugin in plugin folder and activated but when, I try to go to the options page, I get page not found. it’s looking for the php in a different folder. Is there someplace to change this? Am I supposed to copy the file to both places? There’s no Read Me file in the folder.

  11. You are using WordPress 1.5.1 or greater, right?

    If so you shouldn’t have to copy the plugin to another place. Can you post the URI that it’s trying to get to?

  12. Fantastic …

    Both the Logout and Password Posts are working for me perfectly in IE … but not in Firefox (1.0.7) …

    If I close a browser session and open a new one, I’m still logged in and can still access PW-protected pages …


    Nick 🙂

  13. Moby,

    yes, the two URIs are the same. Other options work correctly except wp-Contact form (which gives me a page not found, and possible one other that I can’t remember now.

    I actually get two different links to the option

    1. The link to the cookietimeout option from the plugin page looks exactly as you have it (http://www.healingspirit.com/journal/wp-admin/options-general.php?page=cookietimeout.php)but give me this: “Cannot load cookietimeout.php.”

    2. If I go directly to the Option page and click on Cookietimeout, the link is different (http://www.healingspirit.com/journal/wp-admin/cookietimeout.php) and I get “Page not found.”

  14. I get an error when I try to open the zip file after downloading. Is this plug-in still available? It would be extremely helpful for my site. THANKS!

  15. I am fairly new to WordPress and using it, so I have a question about your plugin. It seems that it will do exactly what I want, however it seems to conflict with the ldap plugin that we are currently using. The error is as follows:
    Fatal error: Cannot redeclare wp_setcookie() (previously declared in /srv/www/htdocs/wp-content/plugins/cookietimeout.php:44) in /srv/www/htdocs/wp-content/plugins/ldap_auth.php on line 277

    The LDAP authentication plugin that we are using is version 1.01 from Patrick Cavit.

    Anyone get them working together?

  16. Both plugins modify the function wp_setcookie, so the plugins won’t work together. They would have to be merged into one plugin.

  17. As told, it doesn’t work if you have WP 1.5.

    I tried to install ignoring that warning, and happened that I became unable to login, no matter what I tried to do.

    I had to upgrade to WP 2.0 to work on my blog again!

  18. Well, I can’t find “logout icon” no more.
    I would like to logout without closing my browser window.
    (I’m also using the Tiger Style Administration plugin).

  19. I had to change the code for your wp_pass.php in order to display my password protected posts (same login prompt would keep appearing even after successfully putting in password). I changed:

    setcookie(PASS_COOKIE, …..


    setcookie(‘wp-postpass_’ . COOKIEHASH, ……

    Now it works.

  20. I copied the file (Version: 0.31) into my plugin folder but when I try to activate it, I get the following error:
    Fatal error: Cannot redeclare wp_setcookie() (previously declared in /home/content/d/r/d/drdetecto/html/wp-includes/pluggable-functions.php:252) in /home/content/d/r/d/drdetecto/html/wp-content/plugins/cookietimeout.php on line 44

    I am using WordPress 2.0.2

    help much appreciated

  21. Does it work after you get the error? If not, try refreshing the page with the error still up. Does it work after that?

  22. Heyè Same problem here:
    Fatal error: Cannot redeclare wp_setcookie() (previously declared in /var/www/dglauser/wp-includes/pluggable-functions.php:252) in /var/www/dglauser/wp-content/plugins/cookietimeout.php on line 44, version 2.0.2. Refreshing makes error message disappear, but it seems that the wrong wp_setcookies() is used (not the one of the plugin) afterwards.

  23. Hi. I maintain some sites that are still using WP 1.52, and I do believe an older version of your plugin works with that. The plugin doesn’t have the different versions avaiable, though. I hope you can also provide links to the older versions.



  24. Hi, I have read this page a dozen times, repeated all steps, and tried changing numbers. The password protected post always shows after the password is put in. I need it to revert back to “please enter password” after closing the browser window. Maybe I missed something, but I think I’ve tried everything.

  25. I downloaded the plugin which works beautifully, but I’ve found that the modified file for password protected pages doesn’t work in firefox. I’ve changed the values and it’s fine in IE, but even after logging out and closing the browser I remain logged in to password protected posts in firefox. Any ideas?

  26. I am definitely using 0.40 (it has the check supposed to prevent the redeclare error)but I still get the error (with WP 2.3.3,not 2.3.2 as posted above). I’m desperate to get this plugin working. Is there anything I can try?

  27. With 0.41 the plugin appears to activate, but when I go to ‘Cookie timeout’ under ‘Options’ I get:

    Not Found

    The requested URL /wp-admin/cookietimeout.php was not found on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    What shall I try next? Your help so far is much appreciated.

  28. Almost missed the 0.6 version update – 0.5 seemed to be working with WP2.7 as far as I was aware!

    Thanks again for developing and maintaining this invaluable plugin.

Leave a comment

Your email address will not be published. Required fields are marked *