Skip to content

Login as User

Login as User lets a trusted administrator view the site exactly as another user would - useful for support tickets, permission checks, and QA - then return to their own account in one click. Sessions are time-limited, recorded in an audit log, and blocked for administrators and other privileged accounts.

  • Adds a “Login as” action on the Users list for eligible target users.
  • Starts a timed impersonation session so you see the front end and admin (where that user can access it) as they would.
  • Shows switch-back controls in the admin bar and as a banner in admin and on the front end.
  • Ends the session automatically when the time limit expires, on logout, or when you switch back.
  • Keeps a short audit trail of start, switch-back, expiry, logout, and related events (with IP).
  • Blocks impersonation of administrators, multisite super admins, and users who have any capability listed under Blocked target capabilities.
  • Bypasses 2FA only for the impersonation AJAX action so starting a session does not require a second challenge; normal logins are unchanged.
  • You support customers or members and need to reproduce what they see.
  • You test role capabilities, memberships, or WooCommerce account screens.
  • You want time-limited, audited impersonation instead of sharing passwords.

Open the module’s advanced settings (gear icon). An active WP PowerSuite license is required.

  • Session time limit (minutes) (session_duration_minutes, default 60, range 5-1440) - maximum duration before you are switched back automatically.
  • Audit log retention (entries) (audit_max_entries, default 100, range 10-500) - how many recent impersonation events to keep.
  • Blocked target capabilities (blocked_target_capabilities, default manage_options, manage_network, edit_users) - one capability per line. Users with any listed capability cannot be impersonated (in addition to the hard block on administrators and super admins).

The settings panel also shows a Recent impersonation audit log (time, event, administrator, target user, IP).

  1. In WordPress admin, go to WP PowerSuite -> Modules.
  2. Filter by Login & Users or search for “Login as User”.
  3. Turn the module’s toggle on.
  4. Open advanced settings, set the session limit and blocked capabilities, then save.
  1. Go to Users -> All Users.
  2. On a non-administrator row, open the row actions and click Login as.
  3. Confirm you are viewing the site as that user (admin bar / banner).
  4. Click Switch back when finished (or wait for the session to expire).
  • Impersonate a subscriber or customer from the Users list. ✅ Working: you land as that user and see Switch back.
  • ❌ Not working: no row action - confirm the module is on, your license is active, and the target is not an administrator / blocked capability.

Try an administrator - the action should be unavailable or refused. Wait past the session limit (or set a short limit for the test) and confirm you are switched back. Check the audit log in advanced settings for start / switch-back events.

  • “Login as” is missing. Confirm the module is enabled, your license is active, and you have the operator capability (typically manage_options).
  • Cannot log in as a specific user. They may be an administrator, a multisite super admin, or hold a blocked capability.
  • Session ends too soon. Raise Session time limit; the maximum is 1440 minutes (24 hours).
  • 2FA prompts during impersonation. Only the impersonation AJAX action is allowed to bypass 2FA; other login paths still enforce it.
Can I log in as an administrator?

No. Administrators, multisite super admins, and users with blocked capabilities (manage_options, manage_network, and edit_users by default) cannot be impersonated.

How do I switch back to my own account?

Use Switch back in the admin bar or the switch-back banner on the front end and in wp-admin. Sessions also end automatically when the time limit expires or you log out.

Does Login as User bypass two-factor authentication?

Only for the impersonation AJAX action itself, so a trusted administrator can start the session without a second 2FA challenge. Normal password logins are unchanged.

How long does an impersonation session last?

By default, 60 minutes (configurable from 5 to 1440). When the limit is reached, you are switched back to your original account automatically.

Developer notes (hooks & filters)

Source: modules/login-as-user/module.php, modules/login-as-user/admin.php. Boots on the critical tier. Requires an active license. Context: admin, frontend, cron, ajax.

Session storage: signed cookie wpps_login_as plus user meta _wpps_original_user / _wpps_login_as_time. Hourly cron wpps_login_as_cleanup_sessions cleans expired sessions.

Audit: option wp_powersuite_login_as_audit. Action wp_powersuite_login_as_event fires on recorded events.

AJAX: wp_powersuite_login_as_user, wp_powersuite_switch_back_user.

Filters:

  • wp_powersuite_login_as_operator_capability - who may start impersonation.
  • wp_powersuite_login_as_blocked_target_caps - extra blocked capabilities.
  • wp_powersuite_login_as_admin_redirect_caps - caps that land the target in wp-admin after switch.
  • wp_powersuite_login_as_record_audit - return false to skip audit rows.
  • wpps_2fa_allow_bypass - module allows bypass only for the wp_powersuite_login_as_user AJAX action when the operator is allowed.

Hard blocks: role administrator, and is_super_admin() on multisite.