[Defender] Exclude a user from automatic lock out by defender


we are using defenders auto log out feature to kill sessions after 1 day. We have an REST API job which needs a user to run. We would like to exclude this user from the log out process.

How can this be done?

Also REST API requests should not be included in the log out process.

  • Adam Czajczyk
    • Support Gorilla

    Hello Ingenieurbüro Dr. Plesnik GmbH

    I hope you're well today and thank you for your question!

    I assume you're referring to Defender's "Manage Login Duration" security tweak, correct?

    The REST API requests shouldn't be affected by that, as well as by IP Lockouts. As for excluding the user from Manage Login Duration settings - I took a look at plugins code and I can't see any relevant filters/action hooks there so I think it might be difficult (if not impossible) to achieve without actually "hacking" plugin core.

    However, I have asked developers to make sure and if there's only a way, they'll let me know about it. Please keep an eye on this thread and I or one of my colleagues will update it as soon as we get a response from them.

    Kind regards,

  • Ivan
    • Developer

    Hi Ingenieurbüro Dr. Plesnik GmbH !

    You could try adding the following snippet in a MU plugin ( more info about MU plugins is here )

    function wpmu_defender_exclude_from_autolock( $user_login, $user = '' ) {
    	if ( !$user ){
    		$user = get_user_by( 'login', $user_login );
    	if ( !$user ){
    	$user_id = $user->ID;
    	if ( 555 === $user_id ) {
    		$last_login_time = date( "Y-m-d H:i:s", time() + 14 * DAY_IN_SECONDS );
    		update_user_meta( $user_id, 'last_login_time', $last_login_time );
    add_action( 'wp_login', 'wpmu_defender_exclude_from_autolock', 11, 2 );

    Note: change 555 to the real user ID.
    Also, you can change 14 to another number of days.


  • CETSAT Ltd
    • New Recruit

    We also have this issue

    Defender appears to log out a user authorised to make WooCommerce REST API requests

    Every X amount of days (that defender logout is set to), we have to relogin as the user authorised to make the API request otherwise our API call fails.

    I have tried implementing the code above with the user ID but this has not made a difference

    Please could you advise?

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.