Login as User
Login as User lets a trusted administrator view the site exactly as another user would - useful for support tickets, permission checks, and QA - then return to their own account in one click. Sessions are time-limited, recorded in an audit log, and blocked for administrators and other privileged accounts.
What it does
Section titled “What it does”- Adds a “Login as” action on the Users list for eligible target users.
- Starts a timed impersonation session so you see the front end and admin (where that user can access it) as they would.
- Shows switch-back controls in the admin bar and as a banner in admin and on the front end.
- Ends the session automatically when the time limit expires, on logout, or when you switch back.
- Keeps a short audit trail of start, switch-back, expiry, logout, and related events (with IP).
- Blocks impersonation of administrators, multisite super admins, and users who have any capability listed under Blocked target capabilities.
- Bypasses 2FA only for the impersonation AJAX action so starting a session does not require a second challenge; normal logins are unchanged.
When to use it
Section titled “When to use it”- You support customers or members and need to reproduce what they see.
- You test role capabilities, memberships, or WooCommerce account screens.
- You want time-limited, audited impersonation instead of sharing passwords.
When not to use it
Section titled “When not to use it”Settings
Section titled “Settings”Open the module’s advanced settings (gear icon). An active WP PowerSuite license is required.
- Session time limit (minutes) (
session_duration_minutes, default 60, range 5-1440) - maximum duration before you are switched back automatically. - Audit log retention (entries) (
audit_max_entries, default 100, range 10-500) - how many recent impersonation events to keep. - Blocked target capabilities (
blocked_target_capabilities, defaultmanage_options,manage_network,edit_users) - one capability per line. Users with any listed capability cannot be impersonated (in addition to the hard block on administrators and super admins).
The settings panel also shows a Recent impersonation audit log (time, event, administrator, target user, IP).
How to enable it
Section titled “How to enable it”- In WordPress admin, go to WP PowerSuite -> Modules.
- Filter by Login & Users or search for “Login as User”.
- Turn the module’s toggle on.
- Open advanced settings, set the session limit and blocked capabilities, then save.
How to use it
Section titled “How to use it”- Go to Users -> All Users.
- On a non-administrator row, open the row actions and click Login as.
- Confirm you are viewing the site as that user (admin bar / banner).
- Click Switch back when finished (or wait for the session to expire).
How to test it
Section titled “How to test it”- Impersonate a subscriber or customer from the Users list. ✅ Working: you land as that user and see Switch back.
- ❌ Not working: no row action - confirm the module is on, your license is active, and the target is not an administrator / blocked capability.
Try an administrator - the action should be unavailable or refused. Wait past the session limit (or set a short limit for the test) and confirm you are switched back. Check the audit log in advanced settings for start / switch-back events.
Troubleshooting
Section titled “Troubleshooting”- “Login as” is missing. Confirm the module is enabled, your license is active, and you have the operator capability (typically
manage_options). - Cannot log in as a specific user. They may be an administrator, a multisite super admin, or hold a blocked capability.
- Session ends too soon. Raise Session time limit; the maximum is 1440 minutes (24 hours).
- 2FA prompts during impersonation. Only the impersonation AJAX action is allowed to bypass 2FA; other login paths still enforce it.
Can I log in as an administrator?
No. Administrators, multisite super admins, and users with blocked capabilities (manage_options, manage_network, and edit_users by default) cannot be impersonated.
How do I switch back to my own account?
Use Switch back in the admin bar or the switch-back banner on the front end and in wp-admin. Sessions also end automatically when the time limit expires or you log out.
Does Login as User bypass two-factor authentication?
Only for the impersonation AJAX action itself, so a trusted administrator can start the session without a second 2FA challenge. Normal password logins are unchanged.
How long does an impersonation session last?
By default, 60 minutes (configurable from 5 to 1440). When the limit is reached, you are switched back to your original account automatically.
Developer notes (hooks & filters)
Source: modules/login-as-user/module.php, modules/login-as-user/admin.php. Boots on the critical tier. Requires an active license. Context: admin, frontend, cron, ajax.
Session storage: signed cookie wpps_login_as plus user meta _wpps_original_user / _wpps_login_as_time. Hourly cron wpps_login_as_cleanup_sessions cleans expired sessions.
Audit: option wp_powersuite_login_as_audit. Action wp_powersuite_login_as_event fires on recorded events.
AJAX: wp_powersuite_login_as_user, wp_powersuite_switch_back_user.
Filters:
wp_powersuite_login_as_operator_capability- who may start impersonation.wp_powersuite_login_as_blocked_target_caps- extra blocked capabilities.wp_powersuite_login_as_admin_redirect_caps- caps that land the target in wp-admin after switch.wp_powersuite_login_as_record_audit- returnfalseto skip audit rows.wpps_2fa_allow_bypass- module allows bypass only for thewp_powersuite_login_as_userAJAX action when the operator is allowed.
Hard blocks: role administrator, and is_super_admin() on multisite.