Web, Programming, Usability, etc.
The WordPress Password Plugin
MAJOR Update, May 11, 2010:
I’ve pretty well ended support of this. I’m not intentionally avoiding emails or comments, I’m just out of time and need to make you aware there’s a better way.
I’d like to encourage you *not* to use the WP-Password Plugin. Here’s why: It doesn’t protect items in feeds, it can be broken by future wordpress versions, it doesn’t protect media/videos/images in your feeds (only pages powered by WP), and at last check, changing WP to do what I want the plugin to do really jeopardizes it’s security of all other things WP. I just don’t want to do that to you.
Instead, I recommend using .htaccess to protect the directories you want people to see. Here’s a good tutorial on it: http://www.javascriptkit.com/howto/htaccess3.shtml
If I am going to do anything else with the plugin, it will be a re-write to help people create their own .htaccess rules.
NOTE: There’s a newer version of this plugin than this page contains. See WordPress Password 0.6.1.
The other day I got asked if there was a way to password protect a WP blog where the author didn’t have access to .htaccess, didn’t want to create users, send/remind them of their passwords, or manage post security levels. “I just wanna password protect the damn thing. Is that so hard?” Well, at the time, yes. It was. But not anymore!
It took me a couple days to perfect, but here’s my second WordPress plugin.
Download the WordPress Password plugin (version 0.4.7): 9kb
When you add the plugin to WordPress 2.0 or later, it’ll create a new Options sub-menu called WordPress Password where you can assign a site-wide password to all your WordPress generated posts and pages, and exclude certain pages from that requirement as well.
More about how it works:
- When the plugin is inactive, or active but a password has not been set, no password is required.
- The password gets reset automatically when the plugin is activated.
- Your WP-Admin Administrator password is still required to reach your WP Admin. This WP-Password plugin just adds an extra layer of password requirement before you can reach WP-admin (remember, it affects ALL WP powered pages).
- When you log in, a session-length cookie is set in your browser that signals the plugin to let you pass
- If you don’t already have the cookie and aren’t on a page Excluded from the password, you’re shown a login form
- If you close your browser and come back, you have to re-login
Forgot Your Password?
- FTP into your plugins/wp-password folder
- Delete wp-password.php
- Log in to your wp admin, view the plugins page
(notice WordPress Password is missing now) - Re-upload wp-password.php
- Re-activate the WordPress Password plugin.
Activating it resets the password. - Visit Options|Wordpress Password and set a new password.
Version History
- 0.4.7 2008-01-25 – Fixed a bug introduced in 0.4
- Added “alias” method of working on blogs where the url isn’t the same as the WP url (.htaccess hacks, etc)
- Fixed the case where the site was on “/” and previous versions would strip”/” from the url to check and break (that was a rather stupid bug, no?)
- 0.4 2008-01-09 – Fixed use for sites not on port 80
- Changed redirection code from header to javascript
- Fixed use for sites aliasing the blog directory
- 0.3 2007-02-24 – Added Logout and Include/Exclude features per request.
- Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
e.g. http://mysite.com/myWPpage/?wp-password-logout=true
The logout function clears any cookie password value saved and then refreshes the browser. Links to log out can created as: <a href=”?wp-password-logout=true”>>Log out</a> - Include/Exclude feature: Added the choice to either Exclude certain urls from password protection (past and default mode) or Include certain urls (excluding all others). This is controlled by the Exclude/Include radiobutton in the admin page.
- Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
- 0.2 2007-02-02 – Bug Fixes.
- Excluded items weren’t forced to match beginning of urls, so it was possible to see protected urls by adding a querystring that included an excluded url. Bad.
- Some special regex characters weren’t properly escaped when evaluating exclusions ( . ? etc)
- Added wp-password-debug=1 querystring option for troubleshooting what’s happening on a page. Ruins redirects, but useful.
- Added checking for the ‘www.’ or ” prefix before a domain name (i.e. http://www.broome.us vs http://broome.us).
- 0.1 2007-01-31 – Initial (public) release.
If you have any questions, ideas, comments, suggestions, praise or rants about the stupidity of passwords on blogs… comment below 
| Print article | This entry was posted by JB on 1/31/2007 at 6:42 pm, and is filed under Code, web. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
about 3 years ago
I just have a couple of pages that I want to use this plug-in for. What’s a matching URL? It doesn’t seem to be working on my 2.3 WP?
about 3 years ago
I tired out the plugin on a local WP 2.6 install and it worked a charm.
Unfortunately when I upload it to the miserable IIS server that I have to work with, it goes into an infinite redirect loop. The resulting url looks like:
[wp-base-dir]/wp-content/plugins/wp-password/login.php?err=&destination=&err=&destination=&err=&destination=&err=&destination=&err=&destination=&err=&destination=&err=&destination=&err=&destination= … etc.
I believe that someone who shouldn’t be let near a keyboard set up multiple domain aliases for the site, which i guess is part of the problem…Could you explain how to use the debug querystring you mention so I can work out whats going on.
Thanks for your time, and a simple & useful plugin nonetheless.
about 3 years ago
I’m having that same infinite loop problem with my 2.6 install! but mine doesn’t tack on the destination every time, it just constantly stays at:
…/wp-content/plugins/wp-password/login.php?err=&destination=/
Weird. Can someone help with this?
about 3 years ago
That was exactly what I was looking for!!
Thank you so much. I’ve activated it and it works perfectly!!
about 3 years ago
I have installed this today, but on login it asks for a name? and the password I used does not work?
Thx for any help
about 3 years ago
Need help with your password plugin. I am using it on a website to protect a “Members only” section. How do I modify the code so that it goes directly the protected page, instead of the website home page? People are getting confused and thinking it is not taking their password. Thanks.
about 3 years ago
Thanks for the great plugin. I have my wordpress installation in http://www.domain.com/wordpress, but my alias is setup so that my blog runs from http://www.domain.com. Do you know what I should set my alias as?
Thanks,
MT
about 3 years ago
Do you have plans to make this compatible with wordpress 2.6?
It seems it no longer works properly. 0.4.7 keeps asking for the password whenever I want to upload files (like pictures) and keeps asking so can’t upload pictures. Tried 0.3 on wordpress 2.6, and it works but doesn’t seem to use the new wp-admin CSS so looks very ugly.
I really love this plugin, and been using it for a long time on wordpress 2.2. Makes me want to go back to 2.2 just to use the plugin. I really hope you get a chance to update it. I’ve thought about using user authentication, but I’ve got family that are too computer illiterate that a “password only” method is so much better.
about 3 years ago
At post 222, Ollie sez: I tired out the plugin on a local WP 2.6 install and it worked a charm.
Then at post 229, iggy states: Do you have plans to make this compatible with wordpress 2.6?
I’m attempting to show a Parent Page in the sidebar, but password protect the child pages beneath it for a Member’s Only application. I have to work with my hoster and need to give him everything rather than upload and control it myself. Before I go give this to him and blow the whole thing up, I would like to know if vers 0.4.7 is or is not compatible with WP 2.6.2, please?
about 3 years ago
I’m having a hard time figuring out how it doesn’t work in 2.6.2. It works for me. I just upgraded an old WP 2.5 install to 2.6.2 to test it.
Downloaded the WP-password.zip file, unzipped & uploaded to my plugins directory.
Activated the plugin, set a password, set the “include” option, added a url to my list and then tested.
Except for a case of “fugly”, it worked.
So I would say it’s not *quite* 2.6.2 compatible, but only because it’s ugly. Functionally, it appears to be 2.6.2 compatible.
As to the looping redirects: I’m not sure what’s going on there. Haven’t encountered it myself, but that may be a lot to do with masking blog names via .htaccess redirects/rewriting, etc. Could also be caused by overlapping rules, maybe… haven’t sunk much thought into it. I don’t have an example to test with to figure it out, and that makes it harder.
I’ll look into it a little. More info is welcome.
about 3 years ago
Anybody feeling brave?
I just searched my hard drive for an old version to see where I’d left last development at,and found v0.5 nearly ready for release.
So I’ve updated the login page, zipped it up and left it here for the adventurous. It didn’t destroy my install… but I’d install it on a test setup first, if I were you. if you like it and it seems to be okay… backup and try it on a real blog instance and tell me it’s successes and failures.
It does NOT protect against showing a protected blog’s content on the homepage of your site, as WP allows you to do. I think that’s why I never released it before… open to ideas on that one.
v0.5 BETA! http://www.broome.us/wp-password/wp-password_0_5.zip
No warranty of fitness for purpose is expressed or implied. If your webserver implodes, I never heard of you
about 3 years ago
JB –
Oh, how I wish I had a test system! I’d certainly give this a whirl. My hoster would probably not appreciate it if I hosed the install. You don’t know how loooong I’ve been looking for a plugin like what I think this is. I really really really need something to password the members only material. We don’t want our “stuff” out there for all eyes, just our eyes. Flexi-Pages almost gives us what we need – almost… Flexi-Page hides the child(ren) successfully but as soon as you click the parent, Flexi-Page kicks in with a password prompt -but- the child immediately shows up in the sidebar and it’s clickable. And that’s a problem. I would love to try this but I believe I should ask our hoster first. I will try to let you know ASAP.
Thanks for taking the time. And, I hope this works out.
about 3 years ago
JB -
Thanks for the update! And thanks for your time and effort.
I just tested v0.5 beta on WordPress 2.6.2 w/ the Japanese language files.
The quick results were this>
Warning: strpos() [function.strpos]: Empty delimiter in /folder/wp-content/plugins/wp-password/wp-password.php on line 649
Warning: Cannot modify header information – headers already sent by (output started at /folder/wp-content/plugins/wp-password/wp-password.php:649) in /folder/wp-includes/pluggable.php on line 770
Header already sent errors often happen when there’s an file encoding problem on unicode pages. So it might be because I’m using the Japanese language files. I tried the login.php from 0.5 with the wp-password.php from 0.3, and this combination seems to work great. Just doesn’t have the new features from 0.5…
about 3 years ago
iggy, I got the same error on 2.6.1 using the default English language.
about 3 years ago
I guess at this point, I’ll stop trying to use it until we hear more from JB about a fix…
about 3 years ago
by the way, login.php from 0.5 beta works great.
about 3 years ago
@iggy – this is confusing, at 234 you seem to say 0.5 isn’t working (Japanese language pak) and at 235 Dan H seems to agree it isn’t. Then today 0.5 beta works great. So, I’m confused – is 0.5 beta password plugin working or is there somehow a typo in one of your posts perhaps???
Thanks.
about 3 years ago
Ok, 0.5.1 is here with an attempted fix for the problem on line 649.
http://www.broome.us/wp-password/wp-password_0_5_1.zip
about 3 years ago
Hoib -
Sorry for the confusion.
There are two files in wp-password.
The login.php from 0.5 beta works great, and wp-password.php was giving me errors. So I was using the 0.5 login.php with an older wp-password.php.
JB -
Thanks for the quick update!!!
I’ll give it a try and let you know if I experience any problems.
about 3 years ago
OK iggy – I appreciate your reply. I’ve given our webhoster the files and now must await his upload/setup. I do not have that level of access to his server (and I probably don’t want it either!!!!) And again to JB, if this works like I think/hope it does — GOLDEN!!!
about 3 years ago
getting wp_user error, call to undefined function. I also cannot get into the site after entering the password. I am using 2.6
about 3 years ago
Rob, you did not mention what version of the plugin you’re using. That would be helfpul, as there’ve been some updates here (they’re not on the WP plugins site yet).
I did see/remove some wp_error calls in the login.php script with my latest versions because they weren’t playing well with the plugin in version 2.6.2. Could be similar to what you’re seeing, and a good cause to try the latest version released in these comments.
about 3 years ago
i’ve been using your plugin for a while now and it’s been working great. can i request a feature? (unless it’s already there and i don’t know about it). is there a way to add text to the login page. for example:
“You have arrived at the Smith Family Blog. If you would like access to our blog, please send an email to xxxxxx@xxx for the password.”
well, the words aren’t important, just looking for a way to provide people who arrive at my site via blog hopping to have a way to access it.
about 3 years ago
@Ikaika: Requests are always welcome.
The login prompt is a simpler (read: I deleted a lot) version of the wp-login.php page for the current 2.6.2 version. You can edit it however you want to, until I get around to making it somehow read a field or display your own html… but even if I did that, you’d still have more flexibility editing the file yourself.
about 3 years ago
thanks. i guess i was just being lazy. problem solved!
about 3 years ago
Is there a way to set the plugin to take the visitor to the password protected page after they enter the password-instead of the homepage?
plus I am also having issues after I enter the password it takes it then I have to navigate back to that page and it asks me to enter it again?
about 3 years ago
@Mike: Redirecting to the protected page is what it’s supposed to do. You can verify this – check the url when you get directed to the login page – it should contain something like dest=(original url).
Your second issue sounds like you might not have cookies active in your browser. Maybe?
about 3 years ago
thx for the reply JB,
Well, on my main computer I cant even get it to log out-whether I use the logout code in the URL or wipe cookies and close the browser. So I was using a different computer and that’s where the strange re-direct behavior and cookies issues were coming from. I just checked the cookies on the other machine and that was the problem-but it is still re-directing to the home page and not attempting to go to the password protected page?
any ideas?
about 3 years ago
Yea, it appears to be working as intended on several computers I have tried EXCEPT for re-directing to the home page…
…this plug-in is PERFECT for what I need it to do-if anyone has any ideas for a solution I would be grateful!
about 3 years ago
Bummer! I went into the Admin tonight to see if the plugin got installed and what I found was WP V 2.5! How’d it get downdated? Who knows. Until we get that back to V2.6.2 I guess I’m out of luck.
For some reason, the authors have conveniently taken off Manage > Downloads from V2.6.2. Nowhere to manage your downloaded materials in the new version so I can guess that may be why our Chief Admin took it off. And also no help on the forums for this…
I’m going to have to wait now until we get the newer version back on so I can then press on to find a password solution for our Member’s Only Area.
Drat!
about 3 years ago
Version 0.6 is released… http://broome.us/archives/2008/10/11/wordpress-password-06/ or http://broome.us/wp-password/wp-password_0_6.zip
about 3 years ago
Unfortunately,
It still re-directs me to the homepage
about 3 years ago
Not sure why, but after installing 0.6, after login I get redirected to the login.php, and it goes into a loop. I should be redirected to my index.php or /
about 3 years ago
i’m having the same problem as folks above – after inputting the password it redirects me to the home page instead of the password protected page.
has anyone figured this out yet?
about 3 years ago
Well, we’ve got it back to v 2.6.3 now so I’ve had a chance to drop in here. Looks like there’s still a problem with getting sent to the incorrect page. FWIW, we now have Manage > Downloads back. Why it disappeared is a mystery but that one’s settled. Now if only I could password protect the member’s area we could really get rolling! Since I don’t have a clue as to how to code anything, I’ll just have to be content to be patient and wait for some help from outside. Anyway, I’m much appreciative of all the work being done to help us novices…
about 3 years ago
Thank you very much for this plugin.
about 3 years ago
I am using wordpress 2.6.3 and your latest plugin .06, when I install the plugin and activiate it it automatically brings me to a password protected page, I cannot enter anything because i don’t know the password.
about 3 years ago
Olá,
I’m using this wp-password plug in but, when i’m writing a post and try to upload an image, it say it can’t create the upload folder. if I creat the upload folder by myself, when I try again to upload an image, it say isn’t possible to upload.
I alread set the plugin to not ask for the password for /wp-adm*.
when I set the plugin inative, the problem stops but,is there any other solution for this problem?
about 3 years ago
any word on this? Check a few posts above
about 3 years ago
When I’m in the admin, writing a post and wanting to upload an image that is on my computer, the plugin takes place in the lightbox window and if I’m giving the password the message come “do you realy want to do this”… In that way I can’t upload any media, except if I disacteved the plugin… I can of course to so for myself but we are more than 10 people writing on this blog with different permissions…
Is there any solution to that problem ?
about 3 years ago
Unbelievable no response on this plugin, why make one if your not around to provide support.
[Edited 11/30/08 by admin. Watch yer potty mouth]
about 3 years ago
@rob: Sorry you’re unhappy with unfinished software, given without warranty or promise of support, that I tinker with in my spare time, when I’m not working a full time job, a separate part time job, on vacation, spending time with my wife & kids; or for that matter doing ANYTHING else I decide is more important than figuring out how to deal with a problem I don’t personally have.
If I address any issues that have been reported with this plugin, it’ll be when I have time, and I’ll update this site. Don’t like that policy? Build your own plugin. I’ll happily refer people to it if/when it solves problems better than mine does.
For everyone else, thanks for your patience. I admit this has been on a far back burner. I can’t promise an update schedule, this is an extremely busy time of year for me.
about 3 years ago
JB, I guess your not in a customer service field gauging from your extremely rude response. “Don’t like it? Build your own…”
Come on man, how about…Can’t support it? Don’t build it…
about 3 years ago
@rob:
Use the plug-in or don’t. I’ve never called it “1.0″, “finished” or “bug-free”.
I’ve never charged anyone a dime for it, and never will. I’m also under no obligation to ever release another version, though I’d like to, when/if I get time to work on it.
Improve it to solve your request yourself if you like. It’s only PHP – a free programming language with free help online. Any text editor will modify it.
Just remember that after you change it, and offer your improvements to other people who might appreciate them, you also owe them friendly, timely support and new versions — especially if they gripe about something you didn’t do yet, or do the same way they would, and don’t want to bother fixing themselves.
Or, on the other hand, if you can’t support it… don’t build it.
about 3 years ago
Wow. R[... redacted ...]t.
[Edited 12/8/2008 by admin: Just as I don't want people using vulgar language on my site, I also don't want flame bait. Thanks for the support, anyway
]
about 3 years ago
I’m looking for a tool like this for my wife and unfortunately all the solutions, including this one, have serious limits. I think she will be best going with the wordpress solution which is cumbersome but supported at least.
My take on the support issue is that this is like borrowing someone’s lawnmower and then complaining that the blades are dull and it’s too narrow for their big lawn. Hello? This is a free thing offered to try and help others who might be able to use it.
For those not familiar with open source it is pretty complicated and often requires that you be able to modify code and either support it yourself or see that there is a large enough community where others will generally fix known problems fairly quickly.
Of course it is nice to stay responsive and friendly even if you don’t have time to support something that is put out there. Something like “I see that there is a problem some of you are having but I don’t know an quick fix and won’t be able to look into it for some time, if ever do to my work/home schedule. If anyone can find solutions or help please post them here and they will help for now and could be implemented an a future version of the plug-in someday.”
At a minimum the comments have helped to understand that this may not be a good solution for our application right now.
about 3 years ago
Hi
Just a quick note to those having problems with infinite redirect loops with recent wordpress versions.
I use v2.7 and I managed to get this plugin working (ie. no infinite redirect loops) by changing the settings as follows:
1. Switching to “include mode”
2. Adding the following pattern to list matching: /*
i.e. rather than use the default mode of excluding everything, I made it so that the plugin explicitly includes everything and then excludes all pages by using the /* pattern.
Hope this helps people & hope this helps JB with providing a better fix.
Anthony
about 3 years ago
The tip above (using include mode and “/*”) worked for me *EXCEPT* that I can no longer post via xmlprc.
about 3 years ago
I’m using v2.7 and want to have the user enter the password everytime the try to access the site. seems to be storing the password in the cache/cookie and does not prompt for password.
any ideas??
thanks!
joel
about 2 years ago
I stumbled on this plugin and found it works very well. I had hoped to find helpful comments here about customizing, and I’m stunned to read all of the bitching. JB, thanks for posting your work for others to use. So here’s my question: I use Textmate to post via the xmlrpc file. It returns an error as it gets redirected. Was hoping someone has solved this issue. Thanks for suggestions.