The WordPress Password Plugin

MAJOR Update, May 11, 2010:

I’ve pretty well ended support of this. I’m not intentionally avoiding emails or comments, I’m just out of time and need to make you aware there’s a better way.

I’d like to encourage you *not* to use the WP-Password Plugin. Here’s why: It doesn’t protect items in feeds, it can be broken by future wordpress versions, it doesn’t protect media/videos/images in your feeds (only pages powered by WP), and at last check, changing WP to do what I want the plugin to do really jeopardizes it’s security of all other things WP. I just don’t want to do that to you.

Instead, I recommend using .htaccess to protect the directories you want people to see. Here’s a good tutorial on it:

If I am going to do anything else with the plugin, it will be a re-write to help people create their own .htaccess rules.

NOTE: There’s a newer version of this plugin than this page contains. See WordPress Password 0.6.1.

The other day I got asked if there was a way to password protect a WP blog where the author didn’t have access to .htaccess, didn’t want to create users, send/remind them of their passwords, or manage post security levels. “I just wanna password protect the damn thing. Is that so hard?” Well, at the time, yes. It was. But not anymore!

It took me a couple days to perfect, but here’s my second WordPress plugin.

Download the WordPress Password plugin (version 0.4.7): 9kb

When you add the plugin to WordPress 2.0 or later, it’ll create a new Options sub-menu called WordPress Password where you can assign a site-wide password to all your WordPress generated posts and pages, and exclude certain pages from that requirement as well.

More about how it works:

  • When the plugin is inactive, or active but a password has not been set, no password is required.
  • The password gets reset automatically when the plugin is activated.
  • Your WP-Admin Administrator password is still required to reach your WP Admin. This WP-Password plugin just adds an extra layer of password requirement before you can reach WP-admin (remember, it affects ALL WP powered pages).
  • When you log in, a session-length cookie is set in your browser that signals the plugin to let you pass
  • If you don’t already have the cookie and aren’t on a page Excluded from the password, you’re shown a login form
  • If you close your browser and come back, you have to re-login

Forgot Your Password?

  1. FTP into your plugins/wp-password folder
  2. Delete wp-password.php
  3. Log in to your wp admin, view the plugins page
    (notice WordPress Password is missing now)
  4. Re-upload wp-password.php
  5. Re-activate the WordPress Password plugin.
    Activating it resets the password.
  6. Visit Options|Wordpress Password and set a new password.

Version History

  • 0.4.7 2008-01-25 – Fixed a bug introduced in 0.4
    • Added “alias” method of working on blogs where the url isn’t the same as the WP url (.htaccess hacks, etc)
    • Fixed the case where the site was on “/” and previous versions would strip”/” from the url to check and break (that was a rather stupid bug, no?)
  • 0.4 2008-01-09 – Fixed use for sites not on port 80
    • Changed redirection code from header to javascript
    • Fixed use for sites aliasing the blog directory
  • 0.3 2007-02-24 – Added Logout and Include/Exclude features per request.
    • Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
      The logout function clears any cookie password value saved and then refreshes the browser. Links to log out can created as: <a href=”?wp-password-logout=true”>>Log out</a>
    • Include/Exclude feature: Added the choice to either Exclude certain urls from password protection (past and default mode) or Include certain urls (excluding all others). This is controlled by the Exclude/Include radiobutton in the admin page.
  • 0.2 2007-02-02 – Bug Fixes.
    • Excluded items weren’t forced to match beginning of urls, so it was possible to see protected urls by adding a querystring that included an excluded url. Bad.
    • Some special regex characters weren’t properly escaped when evaluating exclusions ( . ? etc)
    • Added wp-password-debug=1 querystring option for troubleshooting what’s happening on a page. Ruins redirects, but useful.
    • Added checking for the ‘www.’ or ” prefix before a domain name (i.e. vs
  • 0.1 2007-01-31 – Initial (public) release.

If you have any questions, ideas, comments, suggestions, praise or rants about the stupidity of passwords on blogs… comment below πŸ™‚

Join the Conversation


  1. Version 0.4.7 is not working with WordPress 2.5 very well.
    When I try to type the password and press enter I cannot log in.
    It throws me back to start again.

  2. It works with my 2.5 install, just not a nice as it did before. The password lets you in, but the login page is really bad looking.

  3. Joe: in my case changing the login.php file from the wp-password plug did the trick.

    <link rel=”stylesheet” href=”/wp-admin/wp-admin.css?version=” type=”text/css” />
    text_direction) ) : ?>
    <link rel=”stylesheet” href=”/wp-admin/rtl.css?version=” type=”text/css” />


  4. Hmm, it seems my comment got cut off

    if you would like to receive the corrected login.php you can contact me at gro (at) rossen (dot) be

    The changes are quite trivial: just compare the default wp-login.php with login.php from wp-password: line 34-38 from login.php should be replaced by lines 16-19 (wp_admin_css(..) section) you find in wp-login.php.

  5. Gino-
    Thanks a heap for coming up with those changes. I’m sorry I haven’t been responding here lately – it’s spring break week here and my kids are off school, my day job is in deliver-it-yesterday mode and I’m swamped. I did the 2.5 upgrade on my site just to see if it would break… when I didn’t see any plugins or the site break, I figured all was well and got too busy again to respond with a fix. Apologies. I’m not dead. Yet. I’ll issue an update with Gino’s update this weekend.

  6. also, instead of:

  7. I’m having a problem with the plugin and TinyMCE. When I activate the plugin, and enter a password in the Options page, TinyMCE disappears from the authoring interface. But if I disable the plugin, or before I put in a new password, it’s fine.

    This seems to be an occasional problem, which can be cured by removing blank lines from the plugin file… although I’ve tried that, and it didn’t work.

    This is on WP 2.3.3. Haven’t tried upgrading to v2.5 yet.

  8. Hello,

    First of all, great plugin! I have been looking for something like this for a while. After I updated to WP 2.5.x, the Flash media insert buttons give me the error I typed in below. I added spaces in a few places b/c I wasn’t sure if this supports code…

    File is empty. Please upload something more substantial. This error could also be caused by uploads being disabled in your php.ini.

    Any ideas on what files/folders to exclude to get uploads to work or do you have any other suggestions? Any help would be greatly appreciated!


  9. hello, I love the plugin! I just have a quick question. There seems to be some sort of gray HR line between the password block & the login button. How can I remove that? I couldn’t find an HR declaration, so I am not sure how/where it is generated.

    I am trying to beautify the login page (centering it on page, on top of a rounded corner box image). The HR needs to go if this is to look right.

    Thx in advance =)

  10. ok, I fixed the gray line issue… it was some sort of border fixed it via css… I have a really nice looking login page. But sometimes it seems when I enter the correct password it pops me back to the password block. I enter it a second time and it then lets me in. Any ideas?

  11. Since 2.5 the upload feature didn’t work anymore (Safari on Mac), there was the message that sam reported before: “File is empty. Please upload something more substantial. This error could also be caused by uploads being disabled in your php.ini.”

    I found out, that the upload flash code uses a URL with the port explicitly specified as :80, which doesn’t work with this plugin. I believe the constuction of the $domainurl and $siteRoot variables is buggy (BTW, JB: the HOST header INCLUDES the port already). I wrote a patch an now it works fine. Download it here:


  12. Very nice plugin! I just have a question…
    I did not understand where I have to put this patch for make this plugin working well on version 2.5
    Thanks 4 help!

  13. Hi..
    nice plugin!! very nice!
    somebody can teach me how to install this plugin in wordpress version 2.5.1??

  14. I just have a couple of pages that I want to use this plug-in for. What’s a matching URL? It doesn’t seem to be working on my 2.3 WP?

  15. I tired out the plugin on a local WP 2.6 install and it worked a charm.

    Unfortunately when I upload it to the miserable IIS server that I have to work with, it goes into an infinite redirect loop. The resulting url looks like:
    [wp-base-dir]/wp-content/plugins/wp-password/login.php?err=&destination=&err=&destination=&err=&destination=&err=&destination=&err=&destination=&err=&destination=&err=&destination=&err=&destination= … etc.

    I believe that someone who shouldn’t be let near a keyboard set up multiple domain aliases for the site, which i guess is part of the problem…Could you explain how to use the debug querystring you mention so I can work out whats going on.

    Thanks for your time, and a simple & useful plugin nonetheless.

  16. I’m having that same infinite loop problem with my 2.6 install! but mine doesn’t tack on the destination every time, it just constantly stays at:

    Weird. Can someone help with this?

  17. That was exactly what I was looking for!!

    Thank you so much. I’ve activated it and it works perfectly!!

  18. I have installed this today, but on login it asks for a name? and the password I used does not work?

    Thx for any help

  19. Need help with your password plugin. I am using it on a website to protect a “Members only” section. How do I modify the code so that it goes directly the protected page, instead of the website home page? People are getting confused and thinking it is not taking their password. Thanks.

  20. Do you have plans to make this compatible with wordpress 2.6?
    It seems it no longer works properly. 0.4.7 keeps asking for the password whenever I want to upload files (like pictures) and keeps asking so can’t upload pictures. Tried 0.3 on wordpress 2.6, and it works but doesn’t seem to use the new wp-admin CSS so looks very ugly.

    I really love this plugin, and been using it for a long time on wordpress 2.2. Makes me want to go back to 2.2 just to use the plugin. I really hope you get a chance to update it. I’ve thought about using user authentication, but I’ve got family that are too computer illiterate that a “password only” method is so much better.

  21. At post 222, Ollie sez: I tired out the plugin on a local WP 2.6 install and it worked a charm.

    Then at post 229, iggy states: Do you have plans to make this compatible with wordpress 2.6?

    I’m attempting to show a Parent Page in the sidebar, but password protect the child pages beneath it for a Member’s Only application. I have to work with my hoster and need to give him everything rather than upload and control it myself. Before I go give this to him and blow the whole thing up, I would like to know if vers 0.4.7 is or is not compatible with WP 2.6.2, please?

  22. I’m having a hard time figuring out how it doesn’t work in 2.6.2. It works for me. I just upgraded an old WP 2.5 install to 2.6.2 to test it.

    Downloaded the file, unzipped & uploaded to my plugins directory.

    Activated the plugin, set a password, set the “include” option, added a url to my list and then tested.

    Except for a case of “fugly”, it worked.

    So I would say it’s not *quite* 2.6.2 compatible, but only because it’s ugly. Functionally, it appears to be 2.6.2 compatible.

    As to the looping redirects: I’m not sure what’s going on there. Haven’t encountered it myself, but that may be a lot to do with masking blog names via .htaccess redirects/rewriting, etc. Could also be caused by overlapping rules, maybe… haven’t sunk much thought into it. I don’t have an example to test with to figure it out, and that makes it harder.

    I’ll look into it a little. More info is welcome.

  23. Anybody feeling brave?

    I just searched my hard drive for an old version to see where I’d left last development at,and found v0.5 nearly ready for release.

    So I’ve updated the login page, zipped it up and left it here for the adventurous. It didn’t destroy my install… but I’d install it on a test setup first, if I were you. if you like it and it seems to be okay… backup and try it on a real blog instance and tell me it’s successes and failures.

    It does NOT protect against showing a protected blog’s content on the homepage of your site, as WP allows you to do. I think that’s why I never released it before… open to ideas on that one.

    v0.5 BETA!

    No warranty of fitness for purpose is expressed or implied. If your webserver implodes, I never heard of you πŸ™‚

  24. JB –

    Oh, how I wish I had a test system! I’d certainly give this a whirl. My hoster would probably not appreciate it if I hosed the install. You don’t know how loooong I’ve been looking for a plugin like what I think this is. I really really really need something to password the members only material. We don’t want our “stuff” out there for all eyes, just our eyes. Flexi-Pages almost gives us what we need – almost… Flexi-Page hides the child(ren) successfully but as soon as you click the parent, Flexi-Page kicks in with a password prompt -but- the child immediately shows up in the sidebar and it’s clickable. And that’s a problem. I would love to try this but I believe I should ask our hoster first. I will try to let you know ASAP.

    Thanks for taking the time. And, I hope this works out.

  25. JB –

    Thanks for the update! And thanks for your time and effort.
    I just tested v0.5 beta on WordPress 2.6.2 w/ the Japanese language files.
    The quick results were this>

    Warning: strpos() [function.strpos]: Empty delimiter in /folder/wp-content/plugins/wp-password/wp-password.php on line 649

    Warning: Cannot modify header information – headers already sent by (output started at /folder/wp-content/plugins/wp-password/wp-password.php:649) in /folder/wp-includes/pluggable.php on line 770

    Header already sent errors often happen when there’s an file encoding problem on unicode pages. So it might be because I’m using the Japanese language files. I tried the login.php from 0.5 with the wp-password.php from 0.3, and this combination seems to work great. Just doesn’t have the new features from 0.5…

  26. I guess at this point, I’ll stop trying to use it until we hear more from JB about a fix…

  27. @iggy – this is confusing, at 234 you seem to say 0.5 isn’t working (Japanese language pak) and at 235 Dan H seems to agree it isn’t. Then today 0.5 beta works great. So, I’m confused – is 0.5 beta password plugin working or is there somehow a typo in one of your posts perhaps???


  28. Hoib –

    Sorry for the confusion.
    There are two files in wp-password.
    The login.php from 0.5 beta works great, and wp-password.php was giving me errors. So I was using the 0.5 login.php with an older wp-password.php.

    JB –

    Thanks for the quick update!!!
    I’ll give it a try and let you know if I experience any problems.

  29. OK iggy – I appreciate your reply. I’ve given our webhoster the files and now must await his upload/setup. I do not have that level of access to his server (and I probably don’t want it either!!!!) And again to JB, if this works like I think/hope it does — GOLDEN!!!

  30. getting wp_user error, call to undefined function. I also cannot get into the site after entering the password. I am using 2.6

  31. Rob, you did not mention what version of the plugin you’re using. That would be helfpul, as there’ve been some updates here (they’re not on the WP plugins site yet).

    I did see/remove some wp_error calls in the login.php script with my latest versions because they weren’t playing well with the plugin in version 2.6.2. Could be similar to what you’re seeing, and a good cause to try the latest version released in these comments.

  32. i’ve been using your plugin for a while now and it’s been working great. can i request a feature? (unless it’s already there and i don’t know about it). is there a way to add text to the login page. for example:
    “You have arrived at the Smith Family Blog. If you would like access to our blog, please send an email to xxxxxx@xxx for the password.”

    well, the words aren’t important, just looking for a way to provide people who arrive at my site via blog hopping to have a way to access it.

  33. @Ikaika: Requests are always welcome.

    The login prompt is a simpler (read: I deleted a lot) version of the wp-login.php page for the current 2.6.2 version. You can edit it however you want to, until I get around to making it somehow read a field or display your own html… but even if I did that, you’d still have more flexibility editing the file yourself. πŸ™‚

  34. Is there a way to set the plugin to take the visitor to the password protected page after they enter the password-instead of the homepage?

    plus I am also having issues after I enter the password it takes it then I have to navigate back to that page and it asks me to enter it again?

  35. @Mike: Redirecting to the protected page is what it’s supposed to do. You can verify this – check the url when you get directed to the login page – it should contain something like dest=(original url).

    Your second issue sounds like you might not have cookies active in your browser. Maybe?

  36. thx for the reply JB,

    Well, on my main computer I cant even get it to log out-whether I use the logout code in the URL or wipe cookies and close the browser. So I was using a different computer and that’s where the strange re-direct behavior and cookies issues were coming from. I just checked the cookies on the other machine and that was the problem-but it is still re-directing to the home page and not attempting to go to the password protected page?

    any ideas?

  37. Yea, it appears to be working as intended on several computers I have tried EXCEPT for re-directing to the home page…

    …this plug-in is PERFECT for what I need it to do-if anyone has any ideas for a solution I would be grateful!

Leave a comment

Your email address will not be published. Required fields are marked *