Web, Programming, Usability, etc.
The WordPress Password Plugin
MAJOR Update, May 11, 2010:
I’ve pretty well ended support of this. I’m not intentionally avoiding emails or comments, I’m just out of time and need to make you aware there’s a better way.
I’d like to encourage you *not* to use the WP-Password Plugin. Here’s why: It doesn’t protect items in feeds, it can be broken by future wordpress versions, it doesn’t protect media/videos/images in your feeds (only pages powered by WP), and at last check, changing WP to do what I want the plugin to do really jeopardizes it’s security of all other things WP. I just don’t want to do that to you.
Instead, I recommend using .htaccess to protect the directories you want people to see. Here’s a good tutorial on it: http://www.javascriptkit.com/howto/htaccess3.shtml
If I am going to do anything else with the plugin, it will be a re-write to help people create their own .htaccess rules.
NOTE: There’s a newer version of this plugin than this page contains. See WordPress Password 0.6.1.
The other day I got asked if there was a way to password protect a WP blog where the author didn’t have access to .htaccess, didn’t want to create users, send/remind them of their passwords, or manage post security levels. “I just wanna password protect the damn thing. Is that so hard?” Well, at the time, yes. It was. But not anymore!
It took me a couple days to perfect, but here’s my second WordPress plugin.
Download the WordPress Password plugin (version 0.4.7): 9kb
When you add the plugin to WordPress 2.0 or later, it’ll create a new Options sub-menu called WordPress Password where you can assign a site-wide password to all your WordPress generated posts and pages, and exclude certain pages from that requirement as well.
More about how it works:
- When the plugin is inactive, or active but a password has not been set, no password is required.
- The password gets reset automatically when the plugin is activated.
- Your WP-Admin Administrator password is still required to reach your WP Admin. This WP-Password plugin just adds an extra layer of password requirement before you can reach WP-admin (remember, it affects ALL WP powered pages).
- When you log in, a session-length cookie is set in your browser that signals the plugin to let you pass
- If you don’t already have the cookie and aren’t on a page Excluded from the password, you’re shown a login form
- If you close your browser and come back, you have to re-login
Forgot Your Password?
- FTP into your plugins/wp-password folder
- Delete wp-password.php
- Log in to your wp admin, view the plugins page
(notice WordPress Password is missing now) - Re-upload wp-password.php
- Re-activate the WordPress Password plugin.
Activating it resets the password. - Visit Options|Wordpress Password and set a new password.
Version History
- 0.4.7 2008-01-25 – Fixed a bug introduced in 0.4
- Added “alias” method of working on blogs where the url isn’t the same as the WP url (.htaccess hacks, etc)
- Fixed the case where the site was on “/” and previous versions would strip”/” from the url to check and break (that was a rather stupid bug, no?)
- 0.4 2008-01-09 – Fixed use for sites not on port 80
- Changed redirection code from header to javascript
- Fixed use for sites aliasing the blog directory
- 0.3 2007-02-24 – Added Logout and Include/Exclude features per request.
- Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
e.g. http://mysite.com/myWPpage/?wp-password-logout=true
The logout function clears any cookie password value saved and then refreshes the browser. Links to log out can created as: <a href=”?wp-password-logout=true”>>Log out</a> - Include/Exclude feature: Added the choice to either Exclude certain urls from password protection (past and default mode) or Include certain urls (excluding all others). This is controlled by the Exclude/Include radiobutton in the admin page.
- Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
- 0.2 2007-02-02 – Bug Fixes.
- Excluded items weren’t forced to match beginning of urls, so it was possible to see protected urls by adding a querystring that included an excluded url. Bad.
- Some special regex characters weren’t properly escaped when evaluating exclusions ( . ? etc)
- Added wp-password-debug=1 querystring option for troubleshooting what’s happening on a page. Ruins redirects, but useful.
- Added checking for the ‘www.’ or ” prefix before a domain name (i.e. http://www.broome.us vs http://broome.us).
- 0.1 2007-01-31 – Initial (public) release.
If you have any questions, ideas, comments, suggestions, praise or rants about the stupidity of passwords on blogs… comment below 
| Print article | This entry was posted by JB on 1/31/2007 at 6:42 pm, and is filed under Code, web. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
- Weblog Tools Collection » Blog Archive » WordPress Theme Releases for 2/01
- Weblog Tools Collection » Blog Archive » WordPress Plugin Releases for 2/01
- Plugin: Add Password Security Easily | Wordpress Tutorials And Blogging Tips
- Skylog » Blog Archive » links for 2007-02-02
- WordPress Plugin Releases for 2/01
- Hacks, Information, and More » WordPress Plugin Releases for 2/01
- links for 2007-02-02 en newdisco
- Wordpress Plugins Themes Download » Blog Archive » The Wordpress Password Plugin
- WordPess Plugins for March 25, 2007 « designcreatology
- WP Plugins March 25, 2007 « Blogtology
- queen-of-kaos.com » Wordpress tools and resource sites
- Undr! » Blog Archive » Kom nu, første gang er gratis…
- Brainspill » Planning v0.5 of the Wordpress Password Plugin
- Cregy Web Development » CRM
- Going somewhere? | Lilalillulu.com
- Adam Crowe – links for 2007-09-22
- Cregy Net » Blog Archive » CRM – Stage One – An Introduction
- ä¸ºä½ çš„WordPresså¢žåŠ è®¿é—®å¯†ç | Smartr.cn
- » Enlaces en Diigo 04/21/2008 | DigiZen: Un blogfesor aprendiendo
- Cregy Web Development » CRM – Stage One – An Introduction
- Using WordPress to Make a Secure Twitter for Business – Adam McFarland
- CRM – Stage One – An Introduction
- WP e-Commerceã¨å…±å˜ã•ã›ãŸã„プラグイン — GOGOショプ
- Take your Wordpress blog offline with this Maintenance Page Plug-in – Adwords articles
- WP e-Commerceã¨å…±å˜ã•ã›ãŸã„プラグイン : GOGOショップ
- Password Protecting Wordpress Subdirectories using .htaccess | ghosttree
- Using WordPress to share videos privately « Sarah Tebo, web designer
about 5 years ago
Very nice! I was trying to set up a private blog for some co-workers on our IIS server and neither http basic authentication nor the “registered only” plugin were working out too well, but this plugin looks like it’ll meet our needs nicely.
On line 169, I did have to add “php” after the question mark before the echo statement, but otherwise it seems to be working pretty well.
Do you know which urls should be added to the exempt list so that aggregators can get at the feeds?
about 5 years ago
Thanks for the feedback. I’ve fixed the .zip to contain the fix for my missing “php” (whoops).
Guessing without testing — I’ll create a demo blog later today so I can verify this — I’d add */feed/* to the exclusion list to allow feeds. (Seems contrary to the idea of password protecting your blog’s content though, to allow the feeds to read it.)
Let me know if that works, or wait till I get a break from work to create a demo blog for testing that feed exclusion – I’ll update later with confirmation or correction.
about 5 years ago
JB-
Thanks for writing such a useful and helpful plugin! I have downloaded and just tested it. Looks great, however, I have run into a problem. After I log in using the correct password it redirects me to a blank page with this in the address bar “http://mydomainnamehere.net/blog/wp-content/plugins/wp-password/login.php”
If I type in my domain name again it lets me in. I use Cutline theme with WordPress 2.1. Any ideas?
Thanks!
By the way this is just the plugin I have been looking for! I am willing to tweak things to get it to work.
about 5 years ago
JB -
Adding */feed/* to the exclusion list took care of my feed problem. I also added the following –
/wp-atom.php
/wp-commentsrss2.php
/wp-rdf.php
/wp-rss2.php
/wp-rss.php
/?feed=rss
/?feed=rss2
/?feed=atom
/?feed=rdf
– though that might have been overkill. Thanks again for the great plugin!
(I agree, BTW, that password-protecting the content but not the feed seems contrary, but my co-workers really like their feed aggregators, so I compromised and hacked the feed files — wp-rss2.php, etc. — so that they generate just the blog title and never the article content. My co-workers still have to follow the link to read the article, but at least they’re notified when something new’s been posted.)
about 5 years ago
@Mark –
I think I fixed the problem with the bad redirect. Also fixed a few other issues… Check the version history above.
@Dean –
To exclude feeds, you can add /?feed* as an exclusion. I included that example in the new version’s Options page.
By way of those fixes, I’m releasing version 0.2
The Quality Assurance Department that approved version 0.1 has been sacked. Brainspill LLC regrets any inconvenience their shoddy work may have caused, and remind you we are held indemnable by the terms of use for our products.
Please continue to post comments and complaints, and our Customer Service Department will respond as quickly as a fix or pathetic excuse is devised by our Legal Department.
about 5 years ago
JB-
What you did fixed my issue. Thanks so much! This is plugin is great. Much appreciated.
- Mark
about 5 years ago
downloaded the plugin from this page about 4 hours ago… just installed it… set a password (so far so good)… got this:
Fatal error: Call to undefined function: language_attributes() in /home/content/s/m/a/smackcell/html/wordpress/wp-content/plugins/wp-password/login.php on line 30
(both Safari and Foxfire, using a Mac Sys 10 and Fetch to http://FTP... sit is hosted at Godaddy)
about 5 years ago
(see post 12) …so I trashed the folder that I had FTP’d to the plugin directory, and downloaded version 0.2. Then I FTPd the directory, etc
this time I got the same Fatal Error as soon as I went to my blog URL… did not even activated the plug-in or choose a password…
???
about 5 years ago
Steve, what version of WP are you running?
The code your site is complaining about was copied directly from WP2.1′s wp-login.php page (I was too lazy to write my own login.php page, so I copied & changed WP’s).
That is to say, that function call isn’t original to my code… but if you’re running a version of WP earlier than WP 2.1 (or 2.0?) the function might not be available for you. I did not test this plugin with a version of WP earlier than 2.1
about 5 years ago
aha
this is what i got from godaddy a few months ago… (i asked them to install it via Metropolis, I think)… not sure how to go about reinstalling it… or upgrading… but need this feature
about 5 years ago
oops there was a meta tag that got lost…
meta name=”generator” content=”WordPress 2.0.4″
about 5 years ago
Steve-
Head on over to http://wordpress.org/download/ and download your copy of WordPress. They have helpful detailed instructions on the site as well. Thats how I did it, very helpful.
Regards,
Mark
about 5 years ago
Well OK… not sure I have the courage to do this, mainly because of the database stuff. I’m gonna assume that, since I have an older version of WordPress running at Godaddy right now, I must already have a working database. Can I just skip over the database stuff in the install instructions? I’d like to keep the posts and files that I have already uploaded, but this is not absolutely necessary. I guess I should “empty out” the old database (and or back it up) before installing the new version. Does that sound right?
If it’s best, I’m willing to do a clean install, and start from scatch. Any advice would be appreciated. I know you’re not in the software support business, but I am not confident that I can get anyone at Godaddy to help me.
about 5 years ago
Steve, you need to check out the WordPress upgrade instructions – NOT the installation instructions. See this link: http://codex.wordpress.org/Upgrading_WordPress
Your database should and will remain unaffected by an upgrade – just make sure you follow the steps above (especially the one about backing up your database to be safe, and deactivating all your plugins prior to the upgrade).
Since you won’t need to overwrite your wp-config.php file and the wp-content-folder, your themes and plugins will still be there.
about 4 years ago
So this Plugin will not work on WP 2.0?
about 4 years ago
I didn’t knowingly use any feature exclusive to 2.1. That said, I also didn’t test on 2.0, so it might… might not.
about 4 years ago
I upgraded to 2.1 as you guys advised. It was not very difficult. The plug-in works fine! Thanks.
about 4 years ago
Super plug-in, just missing one thing and that is a log-out. Something I can put in the sidebar to click on.
Just a line of code would be fine, that destroys the session or cookie. Can’t program that wel jet.
about 4 years ago
Good idea – I’ll add that.
As a bypass until then, you can try this (untested) — use a form with a hidden field named “wordpress_password” and a value of “”. Create a submit button in the form and give it the value “Logout”. Whenever anyone clicks the button it’ll activate the password handling code, and set their cookie password to “” — essentially logging them out.
When I add this feature I’ll improve it so that it’ll work via link instead of form, so you don’t have to add a form for logging out – just a link.
about 4 years ago
Hi, your plugin looks good, many thanks for the excellent work.
However I’ve got a problem or question. I’d like to protect only a few sites/pages, to define all the excluded pages therefore would be rather difficult. Is it possible to add the option to restrict pass protection only to a few specified pages (per ID)?
Thanks, marc
about 4 years ago
Have you considered using the “password protection” field already available in WP for this? Seems to be exactly what you want, but already part of WP.
Edit: oops, it’s called “Post Password” on the Write/Edit page of each post.
about 4 years ago
Yes, I tried hard to make the wp-option you mentioned work. But after input of the password the site still refreshes. First of all I thought it dould be a cookie-based problem, but it isn’t. Therefore I’m trying to bypass the wordpress-build-in-pass-protection…
about 4 years ago
Ok, you sold me on the idea.
It’s not difficult to add to the plugin, but I’m tied up with work. I’ll take a swing at it this coming weekend and update afterward.
about 4 years ago
Great! Just what I was looking for. I wanted to create a blog for my colleagues and I to work together on, discussing elements of our new project. We are not all located at the one site so the web is the perfect tool for overcoming this however there didn’t seem to be an easy way to keep the blog private. htaccess was one way but your solution is much easy to manage and implement and there’s no need to manage users. Fantastic work!
about 4 years ago
Aww, thanks.
You guys are so sweet. So even though I’m battling a head cold, I’ll get to work on that “only-on-selected-pages” mode I mentioned above.
about 4 years ago
Version 0.3 is released. Adds the “Logout” link option requested by dfr0st above — no more having to use a form to work around the lack of this option.
Also adds Include/Exclude functionality (Exclude is still the default) requested by Marc. Here’s how it works:
By default, the plugin requires a password for all WP powered pages of your site. You can specify patterns to attempt matching.
- In “Exclude” mode, any URL that matches one of your patterns does not require the password to view the page.
- In “Include” mode, it works exactly the opposite: No pages on your site require a password — except those that match one of the patterns you specify.
Please report any bugs/requests/etc. I’m a wee bit medicated at the moment to battle a head cold… Possible I screwed something up.
about 4 years ago
Still been using this plugin with no problems! Thanks its great
about 4 years ago
Hi JB…I haven’t installed this plugin yet, but it sure sounds like it will meet my need. I was wondering if it blocks spiders or bots or other index engines?
Thanks!
Steve
about 4 years ago
Hi Steve,
It’ll block everything. When the need to enter a password is detected, the script issues a browser redirect and then stops page output.
about 4 years ago
thank you so much for this plug-in. It is so easy and works wonderfully!
about 4 years ago
hi JB. i have been searching for almost a year for a plugin to do this very thing! i am very excited and anxious to use your plugin! however, i have run into a problem. i installed and activated with no problem. i entered my selected pw and then for some (stupid?) reason, i typed in /wp-login.php in the exclusions and pressed save. i admit i don’t know why i did it, but i guess my thinking was i had wanted to create a login-page with an explanation to visitors that the site now req’d a pw… anyway, i get this error:
http://www.mydomainname.com/wp-content/plugins/wp-password/login.php?err=&destination=/
i had to delete the entire folder (not just wp-password.php). and when i tried to reload it thru FTP, i cannot get to my login; i just get a blank screen. i screwed something up, i’m sure. please help??
about 4 years ago
Howdy Pink,
The login page that gets used by the plugin is automatically (behind the scenes) excluded from the password requirement… so you won’t ever need to explicitly exclude it.
The url you posted doesn’t actually describe an error I can troubleshoot. All it instructs your site to do is show the plugin’s login.php page, no error message, and when the login is successful, redirect to the root of your site.
Can you give me a url to look at, or more information to go on? You can email it if you don’t want the info to be public. jonathan [at this domain]
about 4 years ago
JB-
You should consider hosting this plugin at WordPress.org as well. Their new Plugin page is great.
http://wordpress.org/extend/plugins/
about 4 years ago
fantastic! just what i needed and it worked straight out of the box.
one feature suggestion: any chance of a tag being available that i could drop into my theme to display a Logout link if it detects that the current user is logged in?
about 4 years ago
I really like this idea. I want to have a blog that is restricted to certain people but where I do not have to create accounts or IDs for each person. Basically I want existing members to be able to make the blog available to others (social networking) directly by giving them the password without me having to do all the overhead in setting up accounts.
This plugin looks perfect.. except I use Lyceum to allow me many WordPress blogs with one database. Is there any chance you can make the plugin work with WordPress Lyceum? Right now it definitely does not.
about 4 years ago
@pmk: You can add a logout link – see the docs… I’ll consider adding a function that’ll draw the Login/Logout (you supply the wording) depending on the current user’s status, in the future.
@Kal: Never tried Lyceum… I’ll look into it, and see if there’s a way to change the plugin to work with it.
about 4 years ago
Steve’s error, “Fatal error: Call to undefined function: language_attributes() ” does appear to be a 2.0 vs. 2.1 problem –
I installed the plugin on a 2.0.4 installation and got the same error. A quick upgrade to 2.1.3 and everything works as advertised.
I’d update the requirements to say 2.1 instead of 2.0!
about 4 years ago
Great plugin mate!
1 question though – is it possible to protect only certain parts of the *admin panel* with this plugin?
i am working on a shared blog with some mates, and want to limit non-admins to some parts of the panel…
Is is it possible with this plugin or another that is similar?
about 4 years ago
Dave Janes: WBB use Role Manager and it workers really well:
http://www.im-web-gefunden.de/wordpress-plugins/role-manager/
I am looking for a plugin that will allow me password protect a specific file. I can password protect a page or post, but if someone knows the exact URL to the audio, video or image, then they can still access it.
Is there a way to password protect wordpress files?
about 4 years ago
I think compa’s approach is better suited than using WP-Passwords to protect certain admin pages. Mostly because you’d also have to protect the plugins and wp-password file itself in the admin to prevent people from un-protecting other pages they can’t reach… and I’m not sure password-protecting the pasword-protector would allow it to work.
Entirely untested… not at all what I had in mind for the plugin’s use.
about 4 years ago
hello. I like your plugin. I would have loved it, but darn, there’s a problem, i keep getting messages like this “too many redirects are going on.” Just after I do those steps, my WP stops working–just goes to say that message above: 1) install the plugin, 2) activate, 3) add a password, 4) update options, and boom, i get the page. Any reason why this happens?
about 4 years ago
A page you’re protecting is the destination of the redirect, so the plugin sees that the user has reached a page it should protect, redirects… ad infinitum (& nauseum).
Make sure the plugin settings exclude the login page. It usually does this by default, but you might have a setup that defies its guesses.
about 4 years ago
Does this version o.3 of wordpress plugin definatly not work with version 2.0.4 of wordpress
about 4 years ago
@John, it would appear so… Comment #47 above was pretty clear on that. I haven’t tested it personally, but I trust the users’ experience with it.
Why would you not want to upgrade? (I’ve no room to talk – I’m not on the very latest version yet either)
about 4 years ago
Hi JB,
thanks for this great plugin. I just wanted to implement it into a site I am hosting. On this site, one single page (‘http://lntc.mur.at/?page_id=57‘) should be password-protected. I have defined a site password, selected ‘include’ in the list mode and put ‘/?page_id=57′ into the URL matching box. It seems that I have mixed things up. Password protection is not working, I can still access the page. What have I overlooked?
THX
Chris
about 4 years ago
excuse my ignorance but can i use this plugin for my wordpress.com blog so that i can give my friends and family a password rather than making them register?
thanks
Mick
about 4 years ago
@JB-
Your plugin is exactly what I was looking for and I installed it on my site this morning. However, I accidentally noticed a slight bug/flaw that I wanted to inform you about.
If you type an address to a page that doesn’t exist on my wordpress site, wordpress will produce a 404 error page using my template. All my links and sidebar info is shown, pretty much my whole site minus the content. This 404 page isn’t protected by your site password.
I don’t mind, cause I’m not looking for vault-type protection, just something to keep causal browsers away from our family site. But I thought you might want to know about this in order to add code that can offer others a little bit better protection if possible.
Also- you may want to delete this post so others don’t use this knowledge to their advantage. I didn’t know how else to reach you.
my settings:
wordpress 2.2 ( i haven’t checked 2.1)
exclude mode:
/wp-admin*
/wp-login.php
/feed
If you need to, contact me at my email.
Thanks again for this great plugin!
about 4 years ago
the plugin doesn’t work for me in IE 6 and IE 7, after entering the password and clicking on enter it deletes the password with no msg, in opera and firefox it works fine. can you please help?
thanks
about 4 years ago
^^ just figured out why is happening, when i mask the URL of my blog in my domain service, in IE after entering the password it doesn’t redirect the user to the blog. when masking is off every thing works fine.
any way to solve this while masking is ON ?
about 4 years ago
@criscom:
Sorry! I haven’t really been ignoring this, despite appearances. I’ve been trying to duplicate what you’ve seen and am short on time to re-configure my test site to really try it.
My first guess: The ? in your url is interfering with the regular expression search the plugin performs on urls to see if it should be matching. Try just “page_id=57″ (no quotes)
That doesn’t seem intuitive to me… I know I tested the /?feed format and it worked fine… let me know what you get.
@Mick:
Yep, that’s what it’s for — but it’s one password for everybody, not one each. If you want one each, WP has that built in, and/or there are other plugins for that job.
@Bryan:
I wasn’t able to duplicate this. I have a test site with my plugin settings set just like yours. There’s a url there: http://www.broome.us/sandbox/2007/02/20/blockquotes-galore/
It’s password protected.
If I mangle the url into a 404-earning version:
http://www.broome.us/sandbox/xxxxxxxx
It’s still password protected. Could it be something specific to your site? javascript used to draw the sidebar links or something?
@Shasoosh:
I need more info to understand the request better. I’ve never used “masking” for a url via a domain service… An example site to look at or description of how it works might be useful.