If you’re a super admin managing a WordPress multisite network with different domain names, you know the frustration: logging in repeatedly as you move between sites. Unlike subdomain-based multisites, separate domains can’t share authentication cookies, forcing you to authenticate each time.

While this is secure by design, it can significantly slow down your workflow. Here’s how to extend your session length intelligently without compromising security.

Understanding WordPress Session Behavior

WordPress uses two types of sessions:

1. Regular sessions – Last approximately 2 days
2. “Remember Me” sessions – Last 14 days by default

When managing multiple domains in a multisite, each domain maintains its own authentication scope. This is a core WordPress security feature that prevents unauthorized cross-domain access.

The Solution: Extend Session Length with Custom Code

You can customize session duration using the auth_cookie_expiration filter. Add this code to your wp-config.php file, before the /* That's all, stop editing! */ line:

// Extend "Remember Me" session for super admins
add_filter('auth_cookie_expiration', function($expiration, $user_id, $remember) {
    if ($remember) {
        // Extended session for super admins
        if (is_super_admin($user_id)) {
            return 90 * DAY_IN_SECONDS; // 90 days
        }
        // Regular users get 30 days
        return 7 * DAY_IN_SECONDS;
    }
    // Standard session without "Remember Me"
    return 2 * DAY_IN_SECONDS;
}, 10, 3);

How It Works

The code checks three conditions:

1. Is “Remember Me” checked? – The user must check this box at login
2. Is the user a super admin? – Provides extended access only to trusted administrators
3. What duration to apply? – Super admins get 90 days, regular users get 7 days

Important Security Considerations

Before implementing extended sessions, understand the risks:

Security Trade-offs

• Session hijacking window – Longer sessions provide more time for attackers to exploit stolen cookies
• Compromised device risk – Anyone accessing your computer gains extended administrative access
• Compliance concerns – PCI DSS and other frameworks often require session timeouts
• 2FA effectiveness – Wordfence two-factor authentication is challenged less frequently with longer sessions

Best Practices

1. Use only on secure devices – Never enable extended sessions on shared or public computers
2. Keep Wordfence active – Maintain Wordfence security features including 2FA, login security, and malware scanning
3. Monitor login activity – Regularly review Wordfence login logs for suspicious activity
4. Use strong passwords – Consider a password manager for complex credentials
5. Enable IP restrictions – Limit super admin access to known IP addresses when possible

Bonus: Display Session Expiration in Admin Bar

Want to know exactly when your session expires? Add this code to your theme’s functions.php file or a custom plugin to display the remaining session time in the WordPress admin bar:

/**
 * Display session expiration time in admin bar
 */
add_action('admin_bar_menu', function($wp_admin_bar) {
    if (!is_user_logged_in()) {
        return;
    }

    // Get current user's session expiration
    $user_id = get_current_user_id();
    $sessions = WP_Session_Tokens::get_instance($user_id);
    $current_token = wp_get_session_token();
    $session_data = $sessions->get($current_token);

    if (!$session_data || !isset($session_data['expiration'])) {
        return;
    }

    $expiration = $session_data['expiration'];
    $time_left = $expiration - time();

    // Format time remaining
    $time_string = format_session_time_remaining($time_left);

    // Add to admin bar
    $wp_admin_bar->add_node([
        'id'    => 'session_expiration',
        'title' => '<span class="ab-icon dashicons dashicons-clock"></span> Session: ' . $time_string,
        'href'  => false,
        'meta'  => [
            'title' => 'Session expires in ' . $time_string,
            'class' => 'session-expiration-indicator'
        ]
    ]);
}, 100);

/**
 * Format remaining time into human-readable string
 */
function format_session_time_remaining($seconds) {
    if ($seconds <= 0) {
        return 'Expired';
    }

    $days = floor($seconds / DAY_IN_SECONDS);
    $hours = floor(($seconds % DAY_IN_SECONDS) / HOUR_IN_SECONDS);
    $minutes = floor(($seconds % HOUR_IN_SECONDS) / MINUTE_IN_SECONDS);

    if ($days > 0) {
        return $days . ' day' . ($days > 1 ? 's' : '') . ' ' . $hours . 'h';
    } elseif ($hours > 0) {
        return $hours . ' hour' . ($hours > 1 ? 's' : '') . ' ' . $minutes . 'm';
    } else {
        return $minutes . ' minute' . ($minutes > 1 ? 's' : '');
    }
}

/**
 * Add custom styles for session indicator
 */
add_action('admin_head', function() {
    ?>
    <style>
        #wp-admin-bar-session_expiration .ab-icon:before {
            content: "\f469";
            top: 2px;
        }
        #wp-admin-bar-session_expiration {
            background: rgba(0, 0, 0, 0.1);
        }
        #wp-admin-bar-session_expiration:hover {
            background: rgba(0, 0, 0, 0.2);
        }
    </style>
    <?php
});

What This Code Does

The session expiration indicator:

1. Retrieves session data – Accesses the current user’s session token and expiration time
2. Calculates time remaining – Computes the difference between expiration and current time
3. Formats the display – Shows “X days Xh”, “X hours Xm”, or “X minutes” depending on time left
4. Adds to admin bar – Places a clock icon with remaining time in the top admin bar
5. Applies styling – Adds visual distinction to make it easily noticeable

Display Examples

The indicator adapts based on time remaining:

• Long sessions: “89 days 23h”
• Medium sessions: “5 hours 32m”
• Short sessions: “45 minutes”
• Expired: “Expired”

This visual reminder helps you:

• Know when to save work before session expires
• Verify extended session settings are working
• Plan administrative tasks around session duration
• Avoid losing unsaved changes due to unexpected logouts

Limitations of This Approach

This solution doesn’t eliminate the need to log in to each domain in your multisite network. Cross-domain authentication requires:

• Sites on subdomains (e.g., site1.example.com, site2.example.com)
• Shared COOKIE_DOMAIN configuration
• Proper SSL certificate setup

For completely separate domains, extended sessions simply reduce how often you need to re-authenticate on each individual site.

Alternative Solutions

If managing multiple logins remains problematic:

1. Consolidate to subdomains – Migrate to a subdomain-based multisite for shared authentication
2. Use a password manager – Tools like LastPass or 1Password auto-fill credentials instantly
3. Implement SSO – Consider enterprise SSO solutions for larger networks

Implementation Checklist

• [ ] Backup your wp-config.php file
• [ ] Add the session extension code before the “stop editing” comment
• [ ] Add the admin bar indicator to your theme’s functions.php
• [ ] Test login with “Remember Me” checked
• [ ] Verify extended session duration in admin bar
• [ ] Check that the countdown updates correctly
• [ ] Document the change in your security policy
• [ ] Brief team members about checking “Remember Me.”
• [ ] Monitor Wordfence logs for unusual activity

Final Thoughts

Extending WordPress session length for multisite super admins balances convenience with security. By targeting extended sessions specifically to super admin accounts and requiring the “Remember Me” checkbox, you maintain reasonable security controls while reducing authentication friction.

Always weigh the productivity gains against your specific security requirements. For high-security environments, the default WordPress behavior—though inconvenient—provides the strongest protection.

Resources:

• WordPress Multisite Documentation
• Wordfence Security Best Practices
• WordPress Cookies and Authentication