A Quick Look at How the WordPress “Log Out Everywhere” Button Works

Published by John on October 28, 2019 Under Wordpress

I got an email this morning from a client asking about performance issues related to the “Log Out Everywhere” button, which appears when editing a Worpdress User in Users section in the WP-ADMIN section of the website. For all the work on WordPress I have done and do, including custom plugin development that deals with logging in and out users, I had never really dug in that much to how it actually works under the hood. So, I decided to take a quick look at how this button works and what is going on when you log out the user.

When you click the button, some JavaScript found in wp-admin/js/user-profile.js creates a wp ajax request, using the destroy-sessions action that calls the wp_ajax_destroy_sessions function.

The wp_ajax_destroy_sessions function is defined in wp-admin/includes/ajax-actions.php:

function wp_ajax_destroy_sessions() {
	$user = get_userdata( (int) $_POST['user_id'] );
	if ( $user ) {
		if ( ! current_user_can( 'edit_user', $user->ID ) ) {
			$user = false;
		} elseif ( ! wp_verify_nonce( $_POST['nonce'], 'update-user_' . $user->ID ) ) {
			$user = false;

	if ( ! $user ) {
				'message' => __( 'Could not log out user sessions. Please try again.' ),

	$sessions = WP_Session_Tokens::get_instance( $user->ID );

	if ( $user->ID === get_current_user_id() ) {
		$sessions->destroy_others( wp_get_session_token() );
		$message = __( 'You are now logged out everywhere else.' );
	} else {
		/* translators: %s: User's display name. */
		$message = sprintf( __( '%s has been logged out.' ), $user->display_name );

	wp_send_json_success( array( 'message' => $message ) );

As you can see, the function itself is pretty short. It checks that the user has permission to edit the selected user, verifies the nonce is correct, then makes a call to the the static get_instance function of the WP_Session_Tokens class to get an instance of the.

The WP_Session_Tokens class is defined in wp-includes/class-wp-session-tokens.php and when you call the get_instance function, it returns a copy of the WP_User_Meta_Session_Tokens class, found in wp-includes/class-wp-user-meta-session-tokens.php.

Then, depending on whether it is a user logging themselves out or an admin logging out a different user, the destroy_others or destroy_all function is called.

Both of these are similar and clear out the value of session_tokens, with destroy_others keeping the current session and destroy_all deleting all existing sessions for that user.

Putting it All Together

So, to summarize:

  • When you login to WordPress, some session information is stored in the user_meta_table, wp_usermeta, with a meta_key of session_tokens
  • As you browse the site, this is checked to ensure your session is still active
  • When you use the Log Out Everywhere button, WordPress will clear out the value of this from the database, so the next time you visit the site, you will have to login again.

If you want to manually log out a user, something like the following will work, replacing {YOUR_USER_ID} with the correct user_id.

update wp_usermeta set meta_value = '' where user_id = {YOUR_USER_ID} and meta_key = 'session_tokens' limit 1;

No Comments |

Add a Comment