Ever wondered how to stop WordPress auto-logout in local development? Same here.
One of the most frustrating things when working on WordPress locally is getting logged out all the time. You’re in the middle of testing a feature, writing some content, or tweaking a plugin, and suddenly you’re back at the login screen. This is even more annoying when working on a local server like XAMPP or Laragon, where development is supposed to be fast and seamless.
By default, WordPress login cookies expire in about two days if you don’t check Remember Me, or 14 days if you do. This makes sense in production environments where security is important, but in local development, this behavior quickly gets in the way. Fortunately, there’s a very simple fix.
Table of Contents
The Idea: Extend Login Cookie Expiration
WordPress has a filter called auth_cookie_expiration which lets you change how long login cookies stay valid. By hooking into it, we can set a much longer duration to days, months, or even years.
This way, when you’re working locally, you won’t be forced to log in over and over again.
The Solution: A Small MU-Plugin
The easiest and most reliable way to make this permanent is to use an MU-plugin (must-use plugin). Unlike regular plugins, MU-plugins are always loaded and don’t need to be activated from the dashboard. That makes them perfect for small tweaks like this.
Create a folder called mu-plugins inside your wp-content directory (if it doesn’t already exist). Then create a PHP file, for example extend-login-cookie.php, with the following code:
<?php
/**
* Mu-plugin: Extend login cookie duration (for local development)
*/
add_filter('auth_cookie_expiration', function($length, $user_id, $remember) {
$days = 365 * 10; // 10 years
return $days * DAY_IN_SECONDS;
}, 10, 3);That’s it. Now, whenever you log in, your session will last up to 10 years unless you manually log out or clear cookies in your browser. To apply the new cookie duration, simply log out and log back in once, this ensures the updated setting takes effect.
Why MU-Plugin Instead of Functions.php?
At first glance, you might think the simplest place to add this snippet is inside your theme’s functions.php file. Technically, that would work, WordPress will load the code, and your login cookies will last much longer. However, there are a couple of problems with that approach.
The biggest issue is theme dependency. If you ever change your theme, deactivate it, or switch to a new starter theme for development, you’ll lose the modification. You’d have to remember to copy and paste the code again, which is both error-prone and time-consuming.
Another issue is maintainability. Theme files are meant to handle presentation, styling, and sometimes minor functionality related to the theme itself. Overloading functions.php with environment-specific tweaks like login duration makes your code harder to organize and track.
By contrast, an MU-plugin (Must-Use Plugin) is always loaded by WordPress, regardless of which theme is active. It lives in its own folder (wp-content/mu-plugins/), which makes it easy to manage, share, and even version-control separately. You can think of it as a “global tweak” that stays in effect no matter how your site’s look and feel changes.
For these reasons, MU-plugins are the cleaner and more professional choice when applying developer-focused adjustments such as extending cookie expiration.
A Word of Caution
While this solution is incredibly handy for local development, it comes with an important caveat: do not use it in production environments. The default WordPress session length exists for a reason, it helps reduce security risks by limiting the time a stolen cookie can be abused.
Imagine setting your admin cookie to last ten years on a live website. If your laptop gets stolen, or your browser is compromised, an attacker could gain continuous access to your WordPress dashboard without ever needing to log in again. That’s essentially leaving the front door wide open.
For local workstations, the risk is minimal since your site isn’t exposed to the public. Convenience clearly outweighs security in that scenario. But once your project goes online, you should always revert to the default behavior or choose a much shorter duration if you absolutely must extend it.
In short: long-lived cookies are for development only. When your site goes public, make security your top priority.
Conclusion
By dropping a simple MU-plugin into your WordPress installation, you can eliminate one of the biggest annoyances of local development: the constant auto-logout. Now you can stay logged in for as long as you need while working with WordPress in Laragon (or any local server).
Happy coding and may you never have to type your password again while building locally!
If you found this helpful, feel free to explore more tips and insights on my website Kotak Digital.
