MAJOR Update, May 11, 2010:

I’ve pretty well ended support of this. I’m not intentionally avoiding emails or comments, I’m just out of time and need to make you aware there’s a better way.

I’d like to encourage you *not* to use the WP-Password Plugin. Here’s why: It doesn’t protect items in feeds, it can be broken by future wordpress versions, it doesn’t protect media/videos/images in your feeds (only pages powered by WP), and at last check, changing WP to do what I want the plugin to do really jeopardizes it’s security of all other things WP. I just don’t want to do that to you.

Instead, I recommend using .htaccess to protect the directories you want people to see. Here’s a good tutorial on it: http://www.javascriptkit.com/howto/htaccess3.shtml

If I am going to do anything else with the plugin, it will be a re-write to help people create their own .htaccess rules.


NOTE: There’s a newer version of this plugin than this page contains. See WordPress Password 0.6.1.


The other day I got asked if there was a way to password protect a WP blog where the author didn’t have access to .htaccess, didn’t want to create users, send/remind them of their passwords, or manage post security levels. “I just wanna password protect the damn thing. Is that so hard?” Well, at the time, yes. It was. But not anymore!



It took me a couple days to perfect, but here’s my second WordPress plugin.


Download the WordPress Password plugin (version 0.4.7): 9kb


When you add the plugin to WordPress 2.0 or later, it’ll create a new Options sub-menu called WordPress Password where you can assign a site-wide password to all your WordPress generated posts and pages, and exclude certain pages from that requirement as well.


More about how it works:

  • When the plugin is inactive, or active but a password has not been set, no password is required.
  • The password gets reset automatically when the plugin is activated.
  • Your WP-Admin Administrator password is still required to reach your WP Admin. This WP-Password plugin just adds an extra layer of password requirement before you can reach WP-admin (remember, it affects ALL WP powered pages).
  • When you log in, a session-length cookie is set in your browser that signals the plugin to let you pass
  • If you don’t already have the cookie and aren’t on a page Excluded from the password, you’re shown a login form
  • If you close your browser and come back, you have to re-login


Forgot Your Password?

  1. FTP into your plugins/wp-password folder
  2. Delete wp-password.php
  3. Log in to your wp admin, view the plugins page
    (notice WordPress Password is missing now)
  4. Re-upload wp-password.php
  5. Re-activate the WordPress Password plugin.
    Activating it resets the password.
  6. Visit Options|Wordpress Password and set a new password.



Version History

  • 0.4.7 2008-01-25 – Fixed a bug introduced in 0.4
    • Added “alias” method of working on blogs where the url isn’t the same as the WP url (.htaccess hacks, etc)
    • Fixed the case where the site was on “/” and previous versions would strip”/” from the url to check and break (that was a rather stupid bug, no?)
  • 0.4 2008-01-09 – Fixed use for sites not on port 80
    • Changed redirection code from header to javascript
    • Fixed use for sites aliasing the blog directory
  • 0.3 2007-02-24 – Added Logout and Include/Exclude features per request.
    • Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
      e.g. http://mysite.com/myWPpage/?wp-password-logout=true
      The logout function clears any cookie password value saved and then refreshes the browser. Links to log out can created as: <a href=”?wp-password-logout=true”>>Log out</a>
    • Include/Exclude feature: Added the choice to either Exclude certain urls from password protection (past and default mode) or Include certain urls (excluding all others). This is controlled by the Exclude/Include radiobutton in the admin page.
  • 0.2 2007-02-02 – Bug Fixes.
    • Excluded items weren’t forced to match beginning of urls, so it was possible to see protected urls by adding a querystring that included an excluded url. Bad.
    • Some special regex characters weren’t properly escaped when evaluating exclusions ( . ? etc)
    • Added wp-password-debug=1 querystring option for troubleshooting what’s happening on a page. Ruins redirects, but useful.
    • Added checking for the ‘www.’ or ” prefix before a domain name (i.e. http://www.broome.us vs http://broome.us).
  • 0.1 2007-01-31 – Initial (public) release.


If you have any questions, ideas, comments, suggestions, praise or rants about the stupidity of passwords on blogs… comment below :)