Web, Programming, Usability, etc.
The WordPress Password Plugin
MAJOR Update, May 11, 2010:
I’ve pretty well ended support of this. I’m not intentionally avoiding emails or comments, I’m just out of time and need to make you aware there’s a better way.
I’d like to encourage you *not* to use the WP-Password Plugin. Here’s why: It doesn’t protect items in feeds, it can be broken by future wordpress versions, it doesn’t protect media/videos/images in your feeds (only pages powered by WP), and at last check, changing WP to do what I want the plugin to do really jeopardizes it’s security of all other things WP. I just don’t want to do that to you.
Instead, I recommend using .htaccess to protect the directories you want people to see. Here’s a good tutorial on it: http://www.javascriptkit.com/howto/htaccess3.shtml
If I am going to do anything else with the plugin, it will be a re-write to help people create their own .htaccess rules.
NOTE: There’s a newer version of this plugin than this page contains. See WordPress Password 0.6.1.
The other day I got asked if there was a way to password protect a WP blog where the author didn’t have access to .htaccess, didn’t want to create users, send/remind them of their passwords, or manage post security levels. “I just wanna password protect the damn thing. Is that so hard?” Well, at the time, yes. It was. But not anymore!
It took me a couple days to perfect, but here’s my second WordPress plugin.
Download the WordPress Password plugin (version 0.4.7): 9kb
When you add the plugin to WordPress 2.0 or later, it’ll create a new Options sub-menu called WordPress Password where you can assign a site-wide password to all your WordPress generated posts and pages, and exclude certain pages from that requirement as well.
More about how it works:
- When the plugin is inactive, or active but a password has not been set, no password is required.
- The password gets reset automatically when the plugin is activated.
- Your WP-Admin Administrator password is still required to reach your WP Admin. This WP-Password plugin just adds an extra layer of password requirement before you can reach WP-admin (remember, it affects ALL WP powered pages).
- When you log in, a session-length cookie is set in your browser that signals the plugin to let you pass
- If you don’t already have the cookie and aren’t on a page Excluded from the password, you’re shown a login form
- If you close your browser and come back, you have to re-login
Forgot Your Password?
- FTP into your plugins/wp-password folder
- Delete wp-password.php
- Log in to your wp admin, view the plugins page
(notice WordPress Password is missing now) - Re-upload wp-password.php
- Re-activate the WordPress Password plugin.
Activating it resets the password. - Visit Options|Wordpress Password and set a new password.
Version History
- 0.4.7 2008-01-25 – Fixed a bug introduced in 0.4
- Added “alias” method of working on blogs where the url isn’t the same as the WP url (.htaccess hacks, etc)
- Fixed the case where the site was on “/” and previous versions would strip”/” from the url to check and break (that was a rather stupid bug, no?)
- 0.4 2008-01-09 – Fixed use for sites not on port 80
- Changed redirection code from header to javascript
- Fixed use for sites aliasing the blog directory
- 0.3 2007-02-24 – Added Logout and Include/Exclude features per request.
- Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
e.g. http://mysite.com/myWPpage/?wp-password-logout=true
The logout function clears any cookie password value saved and then refreshes the browser. Links to log out can created as: <a href=”?wp-password-logout=true”>>Log out</a> - Include/Exclude feature: Added the choice to either Exclude certain urls from password protection (past and default mode) or Include certain urls (excluding all others). This is controlled by the Exclude/Include radiobutton in the admin page.
- Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
- 0.2 2007-02-02 – Bug Fixes.
- Excluded items weren’t forced to match beginning of urls, so it was possible to see protected urls by adding a querystring that included an excluded url. Bad.
- Some special regex characters weren’t properly escaped when evaluating exclusions ( . ? etc)
- Added wp-password-debug=1 querystring option for troubleshooting what’s happening on a page. Ruins redirects, but useful.
- Added checking for the ‘www.’ or ” prefix before a domain name (i.e. http://www.broome.us vs http://broome.us).
- 0.1 2007-01-31 – Initial (public) release.
If you have any questions, ideas, comments, suggestions, praise or rants about the stupidity of passwords on blogs… comment below 
| Print article | This entry was posted by JB on 1/31/2007 at 6:42 pm, and is filed under Code, web. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
- Weblog Tools Collection » Blog Archive » WordPress Theme Releases for 2/01
- Weblog Tools Collection » Blog Archive » WordPress Plugin Releases for 2/01
- Plugin: Add Password Security Easily | Wordpress Tutorials And Blogging Tips
- Skylog » Blog Archive » links for 2007-02-02
- WordPress Plugin Releases for 2/01
- Hacks, Information, and More » WordPress Plugin Releases for 2/01
- links for 2007-02-02 en newdisco
- Wordpress Plugins Themes Download » Blog Archive » The Wordpress Password Plugin
- WordPess Plugins for March 25, 2007 « designcreatology
- WP Plugins March 25, 2007 « Blogtology
- queen-of-kaos.com » Wordpress tools and resource sites
- Undr! » Blog Archive » Kom nu, første gang er gratis…
- Brainspill » Planning v0.5 of the Wordpress Password Plugin
- Cregy Web Development » CRM
- Going somewhere? | Lilalillulu.com
- Adam Crowe – links for 2007-09-22
- Cregy Net » Blog Archive » CRM – Stage One – An Introduction
- ä¸ºä½ çš„WordPresså¢žåŠ è®¿é—®å¯†ç | Smartr.cn
- » Enlaces en Diigo 04/21/2008 | DigiZen: Un blogfesor aprendiendo
- Cregy Web Development » CRM – Stage One – An Introduction
- Using WordPress to Make a Secure Twitter for Business – Adam McFarland
- CRM – Stage One – An Introduction
- WP e-Commerceã¨å…±å˜ã•ã›ãŸã„プラグイン — GOGOショプ
- Take your Wordpress blog offline with this Maintenance Page Plug-in – Adwords articles
- WP e-Commerceã¨å…±å˜ã•ã›ãŸã„プラグイン : GOGOショップ
- Password Protecting Wordpress Subdirectories using .htaccess | ghosttree
- Using WordPress to share videos privately « Sarah Tebo, web designer
about 1 year ago
work very well. but can i set different password for every member?
about 1 year ago
your password protection plugin is pretty cool …it works. Amazing that one would think that something like this would be easy and available freely … but its next to impossibe to find something like that.
one suggestion: It would be cool if i could send a link to someone I wanted to come and see my blog with the password embedded in the link…
about 1 year ago
Do you have a version or plan on making a version that works with WP 2.7.1
about 1 year ago
Thanks so much for the plugin. It’s exactly what I needed for a client project, and I didn’t want to have to mess with htaccess.
about 1 year ago
Great plugin. Would be better with a little CSS that users can edit to match the blogs’ main colors…
about 1 year ago
Thank you very much!! This plugin is just what I have been looking all over the internet for and it works perfectly, even with the newest version of wordpress (2.7.1.).
about 1 year ago
Hi
I’m running a test blog using WP 2.7.1.
WP Password version 0.4.7 loaded successfully.
I’ve set the password and excluded the relevent urls.
When I log out and try to access the site nothing happens.
I can access all the urls that I’ve password protected with WP Password version 0.4.7.
I want to prevent people accessing a particular category and several sub-categories on my site.
Can anyone help me get this plugin to work?
Many thanks in antcipation of your help.
Kind Regards
PatD
about 1 year ago
Hi PatD. The plugin creates a session cookie in your browser that may still be hanging around. Try closing all instances of your browser then re-opening one to see if it’s really working.
about 1 year ago
thank you for such an awesome plugin…
but, when we select an included page from the menu, the password screen arrives, then redirects us back to the index page. But now the session variable is set and the user is allowed into the “included” content area. any help would be greatly appreciated.
about 1 year ago
Thank you SO MUCH !
I’ve been looking for something like this for ages, I had so much trouble understanding htaccess (never managed to make it work).
Good job !
about 1 year ago
Antony — thanks for that quick and dirty fix! Totally worked. (Using wp 2.7.1 with the (awesome) atahualpa theme.)
about 1 year ago
When I use the plugin, I want visitors to land on a certain page on my site, but it just goes to domain.com/login.php
How can I change that so it goes to a content page and not the error page that says, “Sorry, no posts matched your criteria,” ?
about 1 year ago
Plugin works great for posts, but i seem to be having some problems
using WP 2.7.1′s function for media. It crunches the image in question
and then it wants a password again. I enter password and i get “are you sure you want to do this” and a “please try again” if pressing that, it loops.
what am I missing?
about 1 year ago
I’m hoping your plugin will work for what I need. I want to protect the downloaded files on the site. I loaded your plugin and chose include for the list mode and then just put /wp-content/uploads* for the URL matching hoping this would require the password to access any of the pdfs we have on the site. No such luck – everything opens without a password. Any suggestions? Thanks!
about 1 year ago
Sorry Beth, that’s not going to be something this plugin can do… This plugin only affects WordPress pages. A PDF (or .doc, or .gif, etc) in a WordPress directory will be unaffected.
I think what you’re looking for is .htaccess You can get similar functionality as far as protection goes, and it can affect all files. The tradeoff is that it’s a bit harder to manage. Check out this site for more information: http://www.widexl.com/tutorials/htaccess.html
about 1 year ago
So I’ve installed this plugin. The idea is brilliant… however I’m having trouble with it redirecting to the root from where the original blog is installed.
I don’t have an alias redirect going on, so I’m wondering if it’s the plugin that’s redirecting or if it’s the way that Network Solutions is handling the redirects. VERY curious if anyone else (including the author) has encountered this issue.
about 1 year ago
Hi Collin,
You can use the debug parameter (documented somewhere in this thread, or the readme…) to watch what happens and see if it’s the plugin forcing the redirect. Instead of actually redirecting, it’ll just tell you that it intends to. That might help track down the source of the problem.
about 1 year ago
For some reason, my login page lost its styles. It is referencing the most recent version of wp-admin.css in the wp-admin folder, however only parts of the page are getting the styles. Was there something with the upgrade to WP 2.8 and the plugin that would cause this to happen? Any advice would be appreciated.
about 1 year ago
PROBLEM ABOVE SOLVED
The blog was upgraded to 2.8 from a very old version of WP, so styles/images were no longer existing. I grabed the css and images from an old version of WP and just referenced them in the plugin files. All is working fine now.
about 1 year ago
I first tried the 0.4 release on the WP plugins page. I use WP 2.8.1. But it didn’t work.
Then I went to this plugin homepage and used the latest version 0.4.7 and now it works.
2 suggestions:
-please update the WP plugin page with this new version
-the login page is not in the same “style” as WP2.8 I think it has to do with the fact you copied and modified the original wp-login.php of an old WP version. This way of working is not very future proof. You should try to keep your modifications seperate from the original file.
Just my 2 cents
about 1 year ago
I modified your plugin so password will be checked case-insensitive. Maybe you could add it and add an extra option if you want this or not.
Can someone confirm that WP password plugin works including the original look and feel of the login page with WP 2.8.1
I uploaded the login page shown when using WP password plugin and when deactivited (standard/original login):
http://i29.tinypic.com/2z4ycky.png
http://i29.tinypic.com/261l1xk.png
It’s possible to use this plugin with “BM custom login” so I can change the logo etc…
about 1 year ago
Jan, how did you make it case-insensitive?
I too would love to see more option in a control panel kinda way about changing the look and feel of the password prompt.
about 1 year ago
I am getting the following when I go to a page that meets the password protection string:
The server encountered an unexpected condition which prevented it from fulfilling the request.
The script had an error or it did not produce any output. If there was an error, you should be able to see it in the error log.
about 12 months ago
I am getting this error, running the latest version of WordPress. I would really love to use your plugin, it’s exactly what I need. Any suggestions on how to fix this?
Fatal error: Call to undefined function load_plugin_textdomain() in /home/content/82/4746082/html/wp-content/plugins/wp-password/wp-password.php on line 28
about 12 months ago
The same error occurs on 0.6 of this plugin.
about 12 months ago
fixed that. now my problem is that it doesn’t redirect to the page requested after login
about 11 months ago
Hi,
I am about to set up a blog (using WordPress hopefully) and would like to give different users (clients of mine) access to different areas of the blog. I would like to give each client a username & password to enable this to happen. Is this possible and, if so, is there an idiot’s guide to getting this set up?
I have a hosted domain name and presume I’d have to go with the premium version of WordPress. Am I correct?
Thanks,
Graham
about 11 months ago
Does anyone know how to alter this code so that I can input multiple passwords that would work? That way I can ask a few questions, allow for misspellings, not worry about case-sensitivity, etc?)
Thank you!
about 11 months ago
I have been looking for this, thanks for share.
It’s working on me
about 11 months ago
Using WP 2.8.4 and having the same issue where it won’t redirect after login. Is there a fix??
about 11 months ago
@jana – just today I put out version 0.6.1 (it got a shiny new post and everything) to fix that problem.
about 11 months ago
Hi JB,
By the looks of it your plug in is just what I need. I don’t want to mess with users, just need one password to protect some pages for my members’ area.
I have downloaded and activated the plugin, I tried a basic password, and “includes” as I have only a few pages to include at this stage.
I included the file /member_area.php and then saved password options, and noting seems to be happening at all.
I don’t think I’ve missed anything, can you shed any light?
Much appreciated.
about 11 months ago
@Belinda,
The WP Password plugin only works on pages powered by WP. If member_area.php isn’t using the WP function the_content() to display the page, this plugin won’t help at all. Hope that clears up why it’s not doing anything.
about 10 months ago
Thanks, this works a treat and is something I’ve been looking around for for ages.
about 10 months ago
Thank you for the great program!
For some reason after I installed the plug-in, I cannot access my site or my wordpress admin login. I get this message:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, support@supportwebsite.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Any help would be appreciated!
about 10 months ago
@Jason: If you installed this and then started getting errors…er, that’s not a great program.
What version of WordPress are you running?
about 9 months ago
Any chance the plug-in can be upgraded to the most current version of WP?
about 8 months ago
this plug-in is awesome,
however…
I am constructing a site for a group that needs to be able to “log-out” once finished with the blog as majority of the editing will be done on public computers at a university. I want to prevent someone else going onto a computer in which the site was previously logged into and thus being able to access it without having to know the password. Any ideas for a “log-out” link to place in the blog??
about 8 months ago
Wanting to not allow access to (pages/posts) regardless of how someone arrives, directly or via RSS. I seem to be able to bypass the password screen via an RSS feed. Also there was a rule by default that was there when installed. It was accidentally changed and I can’t get it back, even by de-installing/re-installing it remembers the new modification. Please advise.
about 8 months ago
@Andy, not aware of any problems with this and the current version of WP. Got something particular in mind?
about 8 months ago
@Josh, There are instructions in here somewhere for creating a log-out link. I know I left them in one of these posts.
about 8 months ago
@Jeff: RSS is definitely a problem. Someday when I’m so independently wealthy I don’t have to work for a living, I’m going to rewrite this plugin to take better advantage of WP’s existing code that comes close to the ability to do this… but doesn’t go all the way (for security reasons, I’m sure).
The default rule should’ve been to exclude wp-admin in urls, so your access to the admin pages of WP isn’t hampered.
about 8 months ago
Where can I download the newest version with css fixes? Thanks for sharing this plug in with us.
about 6 months ago
Dude I’m freaking out here… used your plugin and now I can’t access my page… it doesn’t ask me for the password I gave it, my website won’t load at all and neither will my admin login page. Please contact me ASAP. Thank you!!!!!!!!!!
FYI… when I visit anything i get this URL and then nothing loads!??! http://runcosweeklymusic.com/wp-content/plugins/wp-password/login.php?err=&destination=/wp-login.php
about 5 months ago
Hello,
I installed the plugin, activated it, and went to the configuration page where I entered a password. I tried to open my website, and it stalls. The status bar reads “connecting” and “waiting” back and forth continuously, and it never reaches any page or displays any error. I can’t access my dashboard or the FTP folders at this point either. Any suggestions?
Thank you,
Lisa
about 5 months ago
I installed the plugin. now a big disaster. I cannot log into my blog at all. i cannot deinstall the plugin. everytime it loads the page http://orgud.com/wp-content/plugins/wp-password/login.php?err=&destination=/wp-login.php
At the end a 500 error occurs. please, please help me to be able to log into my blog.
thanks unnikuttan
about 5 months ago
Hi. I have to report a problem: as soon as I activate the “WordPress Password” plugin, my flash-image upload stops working. My wp version is 2.9.2. Do you have a hint for me, so that I can make it work?
Thanks, alex
about 5 months ago
HELP ME
I just locked out the blog.
I was setting up the plug in , then made changes to it,
after I read your page here,
so I wouldn’t exclude the wp-admin pages.
it saved the changes.
now even though I have changed the plug in, the site can’t be reached. I can’t get any page, other than the ones I was at before I messed w/ this plug in.
All attempts to do anything at all,send the browser into a seek mode, never finding the extremely long URLS the plug in has made.
In essence I have blocked my Client’s blog!
please send help ASAP,
thanks K
about 3 months ago
Had the same probs as some of the above – total lock out. Not even sure how to begin to fix this. This plugin should be made unavailable if support has ended and it’s not compatible with latest WP versions!
about 3 months ago
I entirely agree. But I could find NO info from wordpress.org about how to do that. Frustrated.