When a user logs on to a WordPress website, a session is created. The details of the session are stored in the WordPress database, specifically in wp_usermeta table.
If a session is not terminated by the user via a logout, WordPress automatically terminates the session after a certain period of time. However, in some cases WordPress fails to terminate sessions.
This could result in hundreds and thousands of hung sessions on your WordPress. However, there are two ways how you can terminate all the logged in WordPress user sessions on your website, as this post explains.
Terminating all WordPress users sessions with a plugin
The WP Security Audit Log plugin has a WordPress Users Sessions management tool. With it you can:
To terminate all the logged in users’s sessions on your WordPress website navigate to the Logged In Users entry in the plugin menu and click Terminate All Sessions, as highlighted in the below screenshot.
Terminating all WordPress logged in users sessions from the database
There might be edge cases in which the plugin cannot delete all the logged in sessions. For example, if a website has more than 100,000 logged in sessions. In such case most probably the plugin’s process times out.
If as such happens, then we’d recommend you to delete all the logged in sessions on your WordPress directly from the database. You can delete the sessions by running the following SQL query on your WordPress database:
DELETE FROM wp_usermeta WHERE meta_key='session_tokens';
Note that the wp_ table prefix might be different on your database, so update the query accordingly.
IMPORTANT: Advise logged in users about the session termination
When you terminate all the logged in sessions on WordPress you also terminate the sessions of the users that are currently logged in. So it is important to always advise all your users so they can save all their work. Ideally, you should do such maintenance during weekends or times when the site is least busy.