attributes WP

Get Started

Login Settings Configuration

Version: 1.2.1 (Core & Pro)Last Updated: November 2025Difficulty: IntermediateTime Required: 15 minutes

Overview

Attributes User Access provides extensive settings to control login behavior, session management, and security features. This guide covers all available configuration options.

Accessing Settings

Navigate to Settings:


WordPress Admin → Settings → Attributes User Access

Settings Page Sections:

  • General Settings
  • Login & Redirection
  • Session Management
  • Security Settings (Pro)
  • Email Settings (Pro)

General Settings

Plugin Status

Enable/Disable Plugin:

Toggle: “Enable Attributes User Access”

Default: Enabled

Note: Disabling the plugin will restore default WordPress login behavior but maintains your configuration for when you re-enable it.

Default Login Page

Set Primary Login URL:

Field: “Default Login Page”

Example: /login/

Purpose: Main login page for your site

Usage:

  • This becomes your site’s primary login URL
  • Replaces /wp-login.php
  • Use in navigation menus and links

Hide WordPress Login

Option: Disable wp-login.php Access

Checkbox: “Hide WordPress Default Login”

Default: Unchecked

Recommendation: Check for security (Pro feature)

When enabled:

  • /wp-login.php returns 404 error
  • Forces use of custom login pages
  • Prevents brute force attacks on default URL
Important: Before enabling this, ensure your custom login page works correctly and you can access it!

Login & Redirection Settings

Global Redirect

After Login Redirect:

Field: “Redirect After Login”

Default: WordPress dashboard

Example: /dashboard/

Options:

  • Leave empty: Uses WordPress default
  • Enter URL: All users go to this page
  • Use role-based: Configure per-role (see below)

After Logout Redirect

Where Users Land After Logout:

Field: “Redirect After Logout”

Default: Homepage (/)

Example: /goodbye/

Common options:

  • / (homepage)
  • /login/ (back to login)
  • /thank-you/ (custom goodbye page)

Role-Based Redirects

Configure Per-Role Destinations:

Administrator:

Redirect URL: /wp-admin/

Purpose: WordPress admin dashboard

Editor:

Redirect URL: /wp-admin/edit.php

Purpose: Posts management

Author:

Redirect URL: /my-articles/

Purpose: Their content dashboard

Contributor:

Redirect URL: /pending-submissions/

Purpose: Draft submissions area

Subscriber:

Redirect URL: /member-dashboard/

Purpose: Member content area

Customer:

Redirect URL: /my-account/

Purpose: WooCommerce account

Priority System:

Role-based redirects override global redirect setting. If no role-specific redirect is set, system uses global redirect.

Session Management

Session Timeout (Pro)

Idle Timeout:

Field: “Idle Timeout”

Unit: Minutes

Default: 30 minutes

Range: 5-1440 minutes (1-24 hours)

Purpose: Auto-logout after inactivity

Example Settings:

  • High security sites: 15 minutes
  • Regular sites: 30 minutes
  • Convenience-focused: 60-120 minutes

Maximum Session Duration (Pro)

Total Session Limit:

Field: “Maximum Session Duration”

Unit: Hours

Default: 24 hours

Range: 1-168 hours (1-7 days)

Purpose: Force re-login after this time

Example Settings:

  • Banking/Healthcare: 2-4 hours
  • E-commerce: 24 hours
  • Membership sites: 48-72 hours

Remember Me Settings

“Remember Me” Checkbox:

Option: “Enable Remember Me”

Default: Enabled

Duration: 14 days (WordPress default)

Control Remember Me:

Show checkbox: Yes/No

Default checked: Yes/No

Duration: 1-90 days (Pro)

Best practices:

  • Enable for convenience
  • Disable for high-security sites
  • Use shorter duration for sensitive data

Login Attempt Settings (Pro)

Failed Login Limits

Limit Login Attempts:

Field: “Maximum Failed Attempts”

Default: 5 attempts

Range: 3-10 attempts

Field: “Lockout Duration”

Default: 30 minutes

Range: 5-1440 minutes

How it works:

  • User fails login X times
  • Account locks for Y minutes
  • User can try again after lockout period

IP Blocking (Pro)

Block Suspicious IPs:

Option: “Enable IP Blocking”

Default: Disabled

Threshold: Failed attempts from IP

Action: Temporary block or permanent ban

Password Requirements (Pro)

Password Strength

Minimum Requirements:

☐ Minimum length: 8-20 characters

☐ Require uppercase letters

☐ Require lowercase letters

☐ Require numbers

☐ Require special characters

☐ Prevent common passwords

Example Configurations:

Basic Security:

✓ 8 characters minimum

✓ Require numbers

Medium Security:

✓ 10 characters minimum

✓ Require uppercase

✓ Require numbers

✓ Require special characters

High Security:

✓ 12 characters minimum

✓ Require uppercase

✓ Require lowercase

✓ Require numbers

✓ Require special characters

✓ Prevent common passwords

Password Expiration (Pro)

Force Password Changes:

Field: “Password Expiration”

Default: Never

Options: 30, 60, 90, 180 days

Purpose: Regular password rotation

Best for:

  • Corporate environments
  • Healthcare (HIPAA compliance)
  • Financial services
  • Educational institutions

Email Notifications (Pro)

Login Notification Emails

Alert Users of New Logins:

☐ Send email on new device login

☐ Send email on new location login

☐ Send email for all logins

Recipient: User’s email address

Admin Notification

Alert Admins of Issues:

☐ Failed login attempts

☐ Account lockouts

☐ New user registrations

☐ Password changes

Recipient: Admin email

Advanced Settings

Login Form Customization

Form Behavior:

☐ Show/hide “Lost Password” link

☐ Show/hide “Register” link

☐ Enable AJAX login (no page reload)

☐ Remember last username

URL Redirects

Prevent Direct Access:

Option: “Redirect wp-login.php”

Destination: Custom login page

Redirect Logged-in Users:

Option: “Redirect if already logged in”

From: Login page

To: Dashboard or custom page

Configuration Examples

Example 1: Membership Site

Goal: Easy access, long sessions


Settings:
  Global Redirect: /member-dashboard/
  Session Timeout: 60 minutes
  Max Session: 7 days
  Remember Me: Enabled (14 days)
  Failed Attempts: 5
  Password: 8 chars, basic requirements

Example 2: Corporate Intranet

Goal: High security, regular re-auth


Settings:
  Role-based Redirects: By department
  Session Timeout: 15 minutes
  Max Session: 8 hours
  Remember Me: Disabled
  Failed Attempts: 3
  Password: 12 chars, all requirements
  Password Expiration: 90 days
  2FA: Required

Example 3: E-Commerce Store

Goal: Balance security and convenience


Settings:
  Customer Redirect: /my-account/
  Session Timeout: 30 minutes
  Max Session: 24 hours
  Remember Me: Enabled (7 days)
  Failed Attempts: 5
  Password: 10 chars, medium requirements
  Email Alerts: New device logins

Example 4: Healthcare Portal (HIPAA)

Goal: Maximum security and compliance


Settings:
  Role-based Redirects: By role
  Session Timeout: 10 minutes
  Max Session: 4 hours
  Remember Me: Disabled
  Failed Attempts: 3
  Lockout: 60 minutes
  Password: 14 chars, all requirements
  Password Expiration: 60 days
  2FA: Required
  IP Restrictions: Office IPs only
  Audit Logging: All actions

Testing Your Configuration

    • Test login flow: Verify redirects work
    • Test as each role: Check role-specific redirects
    • Test session timeout: Wait and verify auto-logout
    • Test failed attempts: Verify lockout occurs
    • Test logout: Check logout redirect
    • Test remember me: Close browser, return later

Troubleshooting

Settings Not Saving

Solutions:

    • Check file permissions (wp-content should be writable)
    • Disable caching plugins temporarily
    • Clear browser cache
    • Check for JavaScript errors in console

Redirects Not Working

Solutions:

    • Verify destination pages exist
    • Flush permalinks (Settings → Permalinks → Save)
    • Check for conflicting plugins
    • Ensure URLs start with / or http://

Users Logged Out Too Soon

Solutions:

    • Increase session timeout setting
    • Check server session configuration
    • Verify remember me is enabled
    • Check for cookie conflicts