InstallActivateGo Remember Me Plugin
Control whether Remember Me is selected on the WordPress Login Form, without using any JavaScript.
Allows the Administrator and/or the User to control the placement of a check mark in the Remember Me checkbox on the standard WordPress login form.
Without a check mark in the Remember Me checkbox, your users will have to login every time they close their browser. With Remember Me selected, they won’t have to login again for two weeks.
The first of a new series of Install/Activate/Go plugins that require no setup or settings changes to work for 99% of Use Cases.
Settings allow:
- The Administrator to control whether Remember Me is the default for all logins, logins from Admin panels or logins from public web pages controlled by My Private Site or equivalent plugin
- The Administrator to control if the User’s Remember Me choice is remembered and, if so, for how long
- Disabling of the plugin’s control of the Remember Me checkbox
Defaults:
- Remember Me is the default for all logins
- The User’s Remember Me choice will be remembered for one year
There are other plugins that make Remember Me the default, but I wrote this plugin in October 2013 because I wanted a solution that did not require JavaScript, which was the solution used by every other plugin that I could find. This plugin uses a documented standard WordPress Action (“hook”) and a Post variable used by WordPress just for this purpose, i.e. – straight PHP with no JavaScript.
Deciding whether this plugin is for you:
- WordPress always leaves the Remember Me checkbox empty, even if you selected it the last time you logged on;
- Without Remember Me checked, logoff occurs automatically when the browser is closed or two days have passed;
- Without Remember Me checked, some browsers will force a login when opening a new browser window;
- With Remember Me checked, logoff occurs automatically in two weeks;
- With Remember Me checked, the user remains logged in even if the browser is closed, the user’s computer is rebooted or the web site hosting server is rebooted;
- Web sites that can only be viewed by registered users (e.g. – My Private Site plugin) are more likely to want Remember Me pre-selected for each user at login, as web site viewing will be more frequently repeated than WordPress Administration;
- For public or shared computers, the WordPress behaviour of leaving the Remember Me checkbox empty is a slight Security improvement, but is easily defeated by a user selecting Remember Me during login, which still leaves subsequent users logged on.
FAQ
The latest version of this plugin was tested and found to work properly in the following Hosting Environments:
- The latest version of WordPress with PHP Version 8.2 on both Windows and Linux shared hosting
- The latest version of WordPress with PHP Version 7.0 on both Windows and Linux shared hosting
- WordPress Version 6.0 with PHP Version 5.6 on Linux shared hosting
Note that Version 7.0 is the oldest version of PHP that the current version of WordPress runs on.
It depends on whether the other Login form provides two standard technical features of the WordPress Login form generated by wp-login.php:
- The “login_form_login” Action; and
- The “rememberme” Post field.
Both are used by this plugin.
It was a conscious security decision by WordPress developers to always present the standard WordPress Login form with the Remember Me checkbox empty.
On the other hand, savvy users quickly got into the habit of being sure the Remember Me checkbox was selected every time they logged on. There is a similar risk in office environments where a person steps away from their office computer without locking it in the sense of requiring a password be typed to gain access.
The security risk is very dependent on how many registered users will login using a public or other shared computer that does not have an effective mechanism built in for automatically deleting auth cookies when one person finishes and the next begins. There is a similar risk in office environments where a person steps away from their office computer without locking it in the sense of requiring a password be typed to gain access.
Of course, the most important security question to ask is: What level of risk do other people using the same computer as a registered user pose?
Changelog
3.0.2
- Check for attempt to directly access admin.php
3.0.1
- Tested with older versions of WordPress and PHP, and minimum WordPress changed to 6.0 from 6.3
3.0
- Defaults to Recommended Settings
- Major rewrite of Admin page to meet current WordPress standards
2.1.1
- Minor support update
2.1
- Correct Login “bizarre behaviour” bug caused by not returning the WP Error object to Filter ‘wp_login_errors’
2.0
- Add Settings to disable the plugin, set the Remember Me default, and remember User’s Remember Me choice
1.0
- Prepare to WordPress Plugin Directory standards.