I've heard that right now WP cookie harvesting and reselling on the Dark web is exploding (up to 18% of WP attacks that reach experts).
You can buy a WordPress cookie session or session token (valid for 2 weeks) and log into the WP Admin.
This hack can only happen when clients forget to click Logout on WordPress, but are just closing the tab. If they are properly logged out. the cookie data expires and, they remove the data from the database too.
Is there a way to invalidate the WP token after 5 mn and reissue a new token? Or having the ability in Enhance to automatically change the WP salts every month?
How about Enhance CP panel itself? How long are session tokens valid for?
PS: resetting the salt seems the answer:
"Change your salts on a regular basis. What’s a regular basis?
At least once a month. For some, who are really concerned about security, once a week.
What happens when you change the salts? It immediately logs out everyone, even before the cookies are expired. You see, normal cookies in WordPress expire in 48 hours. That’s why, you can go to wp-admin and not have to login again. It’s because the authentication cookies are still active (not expired). Guess what, hackers can use these authentication cookies to login to your WP dashboard without a password!
That’s why they’re sold on black markets like Mr. Krebs describes in his article. Because they have value."