The WordPress Password Plugin

MAJOR Update, May 11, 2010:

I’ve pretty well ended support of this. I’m not intentionally avoiding emails or comments, I’m just out of time and need to make you aware there’s a better way.

I’d like to encourage you *not* to use the WP-Password Plugin. Here’s why: It doesn’t protect items in feeds, it can be broken by future wordpress versions, it doesn’t protect media/videos/images in your feeds (only pages powered by WP), and at last check, changing WP to do what I want the plugin to do really jeopardizes it’s security of all other things WP. I just don’t want to do that to you.

Instead, I recommend using .htaccess to protect the directories you want people to see. Here’s a good tutorial on it: http://www.javascriptkit.com/howto/htaccess3.shtml

If I am going to do anything else with the plugin, it will be a re-write to help people create their own .htaccess rules.


NOTE: There’s a newer version of this plugin than this page contains. See WordPress Password 0.6.1.


The other day I got asked if there was a way to password protect a WP blog where the author didn’t have access to .htaccess, didn’t want to create users, send/remind them of their passwords, or manage post security levels. “I just wanna password protect the damn thing. Is that so hard?” Well, at the time, yes. It was. But not anymore!



It took me a couple days to perfect, but here’s my second WordPress plugin.


Download the WordPress Password plugin (version 0.4.7): 9kb


When you add the plugin to WordPress 2.0 or later, it’ll create a new Options sub-menu called WordPress Password where you can assign a site-wide password to all your WordPress generated posts and pages, and exclude certain pages from that requirement as well.


More about how it works:

  • When the plugin is inactive, or active but a password has not been set, no password is required.
  • The password gets reset automatically when the plugin is activated.
  • Your WP-Admin Administrator password is still required to reach your WP Admin. This WP-Password plugin just adds an extra layer of password requirement before you can reach WP-admin (remember, it affects ALL WP powered pages).
  • When you log in, a session-length cookie is set in your browser that signals the plugin to let you pass
  • If you don’t already have the cookie and aren’t on a page Excluded from the password, you’re shown a login form
  • If you close your browser and come back, you have to re-login


Forgot Your Password?

  1. FTP into your plugins/wp-password folder
  2. Delete wp-password.php
  3. Log in to your wp admin, view the plugins page
    (notice WordPress Password is missing now)
  4. Re-upload wp-password.php
  5. Re-activate the WordPress Password plugin.
    Activating it resets the password.
  6. Visit Options|Wordpress Password and set a new password.



Version History

  • 0.4.7 2008-01-25 – Fixed a bug introduced in 0.4
    • Added “alias” method of working on blogs where the url isn’t the same as the WP url (.htaccess hacks, etc)
    • Fixed the case where the site was on “/” and previous versions would strip”/” from the url to check and break (that was a rather stupid bug, no?)
  • 0.4 2008-01-09 – Fixed use for sites not on port 80
    • Changed redirection code from header to javascript
    • Fixed use for sites aliasing the blog directory
  • 0.3 2007-02-24 – Added Logout and Include/Exclude features per request.
    • Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
      e.g. http://mysite.com/myWPpage/?wp-password-logout=true
      The logout function clears any cookie password value saved and then refreshes the browser. Links to log out can created as: <a href=”?wp-password-logout=true”>>Log out</a>
    • Include/Exclude feature: Added the choice to either Exclude certain urls from password protection (past and default mode) or Include certain urls (excluding all others). This is controlled by the Exclude/Include radiobutton in the admin page.
  • 0.2 2007-02-02 – Bug Fixes.
    • Excluded items weren’t forced to match beginning of urls, so it was possible to see protected urls by adding a querystring that included an excluded url. Bad.
    • Some special regex characters weren’t properly escaped when evaluating exclusions ( . ? etc)
    • Added wp-password-debug=1 querystring option for troubleshooting what’s happening on a page. Ruins redirects, but useful.
    • Added checking for the ‘www.’ or ” prefix before a domain name (i.e. http://www.broome.us vs http://broome.us).
  • 0.1 2007-01-31 – Initial (public) release.


If you have any questions, ideas, comments, suggestions, praise or rants about the stupidity of passwords on blogs… comment below 🙂

332 thoughts on “The WordPress Password Plugin

  1. Bummer! I went into the Admin tonight to see if the plugin got installed and what I found was WP V 2.5! How’d it get downdated? Who knows. Until we get that back to V2.6.2 I guess I’m out of luck.

    For some reason, the authors have conveniently taken off Manage > Downloads from V2.6.2. Nowhere to manage your downloaded materials in the new version so I can guess that may be why our Chief Admin took it off. And also no help on the forums for this…

    I’m going to have to wait now until we get the newer version back on so I can then press on to find a password solution for our Member’s Only Area.

    Drat!

  2. Not sure why, but after installing 0.6, after login I get redirected to the login.php, and it goes into a loop. I should be redirected to my index.php or /

  3. i’m having the same problem as folks above – after inputting the password it redirects me to the home page instead of the password protected page.

    has anyone figured this out yet?

  4. Well, we’ve got it back to v 2.6.3 now so I’ve had a chance to drop in here. Looks like there’s still a problem with getting sent to the incorrect page. FWIW, we now have Manage > Downloads back. Why it disappeared is a mystery but that one’s settled. Now if only I could password protect the member’s area we could really get rolling! Since I don’t have a clue as to how to code anything, I’ll just have to be content to be patient and wait for some help from outside. Anyway, I’m much appreciative of all the work being done to help us novices…

  5. I am using wordpress 2.6.3 and your latest plugin .06, when I install the plugin and activiate it it automatically brings me to a password protected page, I cannot enter anything because i don’t know the password.

  6. Olá,
    I’m using this wp-password plug in but, when i’m writing a post and try to upload an image, it say it can’t create the upload folder. if I creat the upload folder by myself, when I try again to upload an image, it say isn’t possible to upload.
    I alread set the plugin to not ask for the password for /wp-adm*.

    when I set the plugin inative, the problem stops but,is there any other solution for this problem?

  7. When I’m in the admin, writing a post and wanting to upload an image that is on my computer, the plugin takes place in the lightbox window and if I’m giving the password the message come “do you realy want to do this”… In that way I can’t upload any media, except if I disacteved the plugin… I can of course to so for myself but we are more than 10 people writing on this blog with different permissions…
    Is there any solution to that problem ?

  8. Unbelievable no response on this plugin, why make one if your not around to provide support.

    [Edited 11/30/08 by admin. Watch yer potty mouth]

  9. @rob: Sorry you’re unhappy with unfinished software, given without warranty or promise of support, that I tinker with in my spare time, when I’m not working a full time job, a separate part time job, on vacation, spending time with my wife & kids; or for that matter doing ANYTHING else I decide is more important than figuring out how to deal with a problem I don’t personally have.

    If I address any issues that have been reported with this plugin, it’ll be when I have time, and I’ll update this site. Don’t like that policy? Build your own plugin. I’ll happily refer people to it if/when it solves problems better than mine does.

    For everyone else, thanks for your patience. I admit this has been on a far back burner. I can’t promise an update schedule, this is an extremely busy time of year for me.

  10. JB, I guess your not in a customer service field gauging from your extremely rude response. “Don’t like it? Build your own…”

    Come on man, how about…Can’t support it? Don’t build it…

  11. @rob:
    Use the plug-in or don’t. I’ve never called it “1.0”, “finished” or “bug-free”.

    I’ve never charged anyone a dime for it, and never will. I’m also under no obligation to ever release another version, though I’d like to, when/if I get time to work on it.

    Improve it to solve your request yourself if you like. It’s only PHP – a free programming language with free help online. Any text editor will modify it.

    Just remember that after you change it, and offer your improvements to other people who might appreciate them, you also owe them friendly, timely support and new versions — especially if they gripe about something you didn’t do yet, or do the same way they would, and don’t want to bother fixing themselves.

    Or, on the other hand, if you can’t support it… don’t build it.

  12. Wow. R[… redacted …]t.

    [Edited 12/8/2008 by admin: Just as I don’t want people using vulgar language on my site, I also don’t want flame bait. Thanks for the support, anyway 🙂 ]

  13. I’m looking for a tool like this for my wife and unfortunately all the solutions, including this one, have serious limits. I think she will be best going with the wordpress solution which is cumbersome but supported at least.

    My take on the support issue is that this is like borrowing someone’s lawnmower and then complaining that the blades are dull and it’s too narrow for their big lawn. Hello? This is a free thing offered to try and help others who might be able to use it.

    For those not familiar with open source it is pretty complicated and often requires that you be able to modify code and either support it yourself or see that there is a large enough community where others will generally fix known problems fairly quickly.

    Of course it is nice to stay responsive and friendly even if you don’t have time to support something that is put out there. Something like “I see that there is a problem some of you are having but I don’t know an quick fix and won’t be able to look into it for some time, if ever do to my work/home schedule. If anyone can find solutions or help please post them here and they will help for now and could be implemented an a future version of the plug-in someday.”

    At a minimum the comments have helped to understand that this may not be a good solution for our application right now.

  14. Hi

    Just a quick note to those having problems with infinite redirect loops with recent wordpress versions.

    I use v2.7 and I managed to get this plugin working (ie. no infinite redirect loops) by changing the settings as follows:

    1. Switching to “include mode”
    2. Adding the following pattern to list matching: /*

    i.e. rather than use the default mode of excluding everything, I made it so that the plugin explicitly includes everything and then excludes all pages by using the /* pattern.

    Hope this helps people & hope this helps JB with providing a better fix.

    Anthony

  15. I’m using v2.7 and want to have the user enter the password everytime the try to access the site. seems to be storing the password in the cache/cookie and does not prompt for password.

    any ideas??

    thanks!
    joel

  16. I stumbled on this plugin and found it works very well. I had hoped to find helpful comments here about customizing, and I’m stunned to read all of the bitching. JB, thanks for posting your work for others to use. So here’s my question: I use Textmate to post via the xmlrpc file. It returns an error as it gets redirected. Was hoping someone has solved this issue. Thanks for suggestions.

  17. your password protection plugin is pretty cool …it works. Amazing that one would think that something like this would be easy and available freely … but its next to impossibe to find something like that.

    one suggestion: It would be cool if i could send a link to someone I wanted to come and see my blog with the password embedded in the link…

  18. Do you have a version or plan on making a version that works with WP 2.7.1

  19. Thanks so much for the plugin. It’s exactly what I needed for a client project, and I didn’t want to have to mess with htaccess.

  20. Great plugin. Would be better with a little CSS that users can edit to match the blogs’ main colors…

  21. Thank you very much!! This plugin is just what I have been looking all over the internet for and it works perfectly, even with the newest version of wordpress (2.7.1.).

  22. Hi
    I’m running a test blog using WP 2.7.1.

    WP Password version 0.4.7 loaded successfully.

    I’ve set the password and excluded the relevent urls.

    When I log out and try to access the site nothing happens.

    I can access all the urls that I’ve password protected with WP Password version 0.4.7.

    I want to prevent people accessing a particular category and several sub-categories on my site.

    Can anyone help me get this plugin to work?

    Many thanks in antcipation of your help.

    Kind Regards

    PatD

  23. Hi PatD. The plugin creates a session cookie in your browser that may still be hanging around. Try closing all instances of your browser then re-opening one to see if it’s really working.

  24. thank you for such an awesome plugin…
    but, when we select an included page from the menu, the password screen arrives, then redirects us back to the index page. But now the session variable is set and the user is allowed into the “included” content area. any help would be greatly appreciated.

  25. Thank you SO MUCH !

    I’ve been looking for something like this for ages, I had so much trouble understanding htaccess (never managed to make it work).

    Good job !

  26. Antony — thanks for that quick and dirty fix! Totally worked. (Using wp 2.7.1 with the (awesome) atahualpa theme.)

  27. When I use the plugin, I want visitors to land on a certain page on my site, but it just goes to domain.com/login.php

    How can I change that so it goes to a content page and not the error page that says, “Sorry, no posts matched your criteria,” ?

  28. Plugin works great for posts, but i seem to be having some problems
    using WP 2.7.1’s function for media. It crunches the image in question
    and then it wants a password again. I enter password and i get “are you sure you want to do this” and a “please try again” if pressing that, it loops.

    what am I missing?

  29. I’m hoping your plugin will work for what I need. I want to protect the downloaded files on the site. I loaded your plugin and chose include for the list mode and then just put /wp-content/uploads* for the URL matching hoping this would require the password to access any of the pdfs we have on the site. No such luck – everything opens without a password. Any suggestions? Thanks!

  30. Sorry Beth, that’s not going to be something this plugin can do… This plugin only affects WordPress pages. A PDF (or .doc, or .gif, etc) in a WordPress directory will be unaffected.

    I think what you’re looking for is .htaccess You can get similar functionality as far as protection goes, and it can affect all files. The tradeoff is that it’s a bit harder to manage. Check out this site for more information: http://www.widexl.com/tutorials/htaccess.html

  31. So I’ve installed this plugin. The idea is brilliant… however I’m having trouble with it redirecting to the root from where the original blog is installed.

    I don’t have an alias redirect going on, so I’m wondering if it’s the plugin that’s redirecting or if it’s the way that Network Solutions is handling the redirects. VERY curious if anyone else (including the author) has encountered this issue.

  32. Hi Collin,

    You can use the debug parameter (documented somewhere in this thread, or the readme…) to watch what happens and see if it’s the plugin forcing the redirect. Instead of actually redirecting, it’ll just tell you that it intends to. That might help track down the source of the problem.

  33. For some reason, my login page lost its styles. It is referencing the most recent version of wp-admin.css in the wp-admin folder, however only parts of the page are getting the styles. Was there something with the upgrade to WP 2.8 and the plugin that would cause this to happen? Any advice would be appreciated.

  34. PROBLEM ABOVE SOLVED
    The blog was upgraded to 2.8 from a very old version of WP, so styles/images were no longer existing. I grabed the css and images from an old version of WP and just referenced them in the plugin files. All is working fine now.

  35. I first tried the 0.4 release on the WP plugins page. I use WP 2.8.1. But it didn’t work.
    Then I went to this plugin homepage and used the latest version 0.4.7 and now it works.

    2 suggestions:
    -please update the WP plugin page with this new version
    -the login page is not in the same “style” as WP2.8 I think it has to do with the fact you copied and modified the original wp-login.php of an old WP version. This way of working is not very future proof. You should try to keep your modifications seperate from the original file.

    Just my 2 cents

  36. I modified your plugin so password will be checked case-insensitive. Maybe you could add it and add an extra option if you want this or not.

    Can someone confirm that WP password plugin works including the original look and feel of the login page with WP 2.8.1

    I uploaded the login page shown when using WP password plugin and when deactivited (standard/original login):
    http://i29.tinypic.com/2z4ycky.png
    http://i29.tinypic.com/261l1xk.png

    It’s possible to use this plugin with “BM custom login” so I can change the logo etc…

  37. Jan, how did you make it case-insensitive?

    I too would love to see more option in a control panel kinda way about changing the look and feel of the password prompt.

  38. I am getting the following when I go to a page that meets the password protection string:

    The server encountered an unexpected condition which prevented it from fulfilling the request.
    The script had an error or it did not produce any output. If there was an error, you should be able to see it in the error log.

  39. I am getting this error, running the latest version of WordPress. I would really love to use your plugin, it’s exactly what I need. Any suggestions on how to fix this?

    Fatal error: Call to undefined function load_plugin_textdomain() in /home/content/82/4746082/html/wp-content/plugins/wp-password/wp-password.php on line 28

Leave a Reply

Your email address will not be published. Required fields are marked *