The WordPress Password Plugin

MAJOR Update, May 11, 2010:

I’ve pretty well ended support of this. I’m not intentionally avoiding emails or comments, I’m just out of time and need to make you aware there’s a better way.

I’d like to encourage you *not* to use the WP-Password Plugin. Here’s why: It doesn’t protect items in feeds, it can be broken by future wordpress versions, it doesn’t protect media/videos/images in your feeds (only pages powered by WP), and at last check, changing WP to do what I want the plugin to do really jeopardizes it’s security of all other things WP. I just don’t want to do that to you.

Instead, I recommend using .htaccess to protect the directories you want people to see. Here’s a good tutorial on it:

If I am going to do anything else with the plugin, it will be a re-write to help people create their own .htaccess rules.

NOTE: There’s a newer version of this plugin than this page contains. See WordPress Password 0.6.1.

The other day I got asked if there was a way to password protect a WP blog where the author didn’t have access to .htaccess, didn’t want to create users, send/remind them of their passwords, or manage post security levels. “I just wanna password protect the damn thing. Is that so hard?” Well, at the time, yes. It was. But not anymore!

It took me a couple days to perfect, but here’s my second WordPress plugin.

Download the WordPress Password plugin (version 0.4.7): 9kb

When you add the plugin to WordPress 2.0 or later, it’ll create a new Options sub-menu called WordPress Password where you can assign a site-wide password to all your WordPress generated posts and pages, and exclude certain pages from that requirement as well.

More about how it works:

  • When the plugin is inactive, or active but a password has not been set, no password is required.
  • The password gets reset automatically when the plugin is activated.
  • Your WP-Admin Administrator password is still required to reach your WP Admin. This WP-Password plugin just adds an extra layer of password requirement before you can reach WP-admin (remember, it affects ALL WP powered pages).
  • When you log in, a session-length cookie is set in your browser that signals the plugin to let you pass
  • If you don’t already have the cookie and aren’t on a page Excluded from the password, you’re shown a login form
  • If you close your browser and come back, you have to re-login

Forgot Your Password?

  1. FTP into your plugins/wp-password folder
  2. Delete wp-password.php
  3. Log in to your wp admin, view the plugins page
    (notice WordPress Password is missing now)
  4. Re-upload wp-password.php
  5. Re-activate the WordPress Password plugin.
    Activating it resets the password.
  6. Visit Options|Wordpress Password and set a new password.

Version History

  • 0.4.7 2008-01-25 – Fixed a bug introduced in 0.4
    • Added “alias” method of working on blogs where the url isn’t the same as the WP url (.htaccess hacks, etc)
    • Fixed the case where the site was on “/” and previous versions would strip”/” from the url to check and break (that was a rather stupid bug, no?)
  • 0.4 2008-01-09 – Fixed use for sites not on port 80
    • Changed redirection code from header to javascript
    • Fixed use for sites aliasing the blog directory
  • 0.3 2007-02-24 – Added Logout and Include/Exclude features per request.
    • Logout option: visit any WP powered url of your site with this value pair in the querystring: wp-password-logout=true
      The logout function clears any cookie password value saved and then refreshes the browser. Links to log out can created as: <a href=”?wp-password-logout=true”>>Log out</a>
    • Include/Exclude feature: Added the choice to either Exclude certain urls from password protection (past and default mode) or Include certain urls (excluding all others). This is controlled by the Exclude/Include radiobutton in the admin page.
  • 0.2 2007-02-02 – Bug Fixes.
    • Excluded items weren’t forced to match beginning of urls, so it was possible to see protected urls by adding a querystring that included an excluded url. Bad.
    • Some special regex characters weren’t properly escaped when evaluating exclusions ( . ? etc)
    • Added wp-password-debug=1 querystring option for troubleshooting what’s happening on a page. Ruins redirects, but useful.
    • Added checking for the ‘www.’ or ” prefix before a domain name (i.e. vs
  • 0.1 2007-01-31 – Initial (public) release.

If you have any questions, ideas, comments, suggestions, praise or rants about the stupidity of passwords on blogs… comment below 🙂

Join the Conversation


  1. fixed that. now my problem is that it doesn’t redirect to the page requested after login

  2. Hi,

    I am about to set up a blog (using WordPress hopefully) and would like to give different users (clients of mine) access to different areas of the blog. I would like to give each client a username & password to enable this to happen. Is this possible and, if so, is there an idiot’s guide to getting this set up?

    I have a hosted domain name and presume I’d have to go with the premium version of WordPress. Am I correct?



  3. Does anyone know how to alter this code so that I can input multiple passwords that would work? That way I can ask a few questions, allow for misspellings, not worry about case-sensitivity, etc?)

    Thank you!

  4. Using WP 2.8.4 and having the same issue where it won’t redirect after login. Is there a fix??

  5. @jana – just today I put out version 0.6.1 (it got a shiny new post and everything) to fix that problem.

  6. Hi JB,

    By the looks of it your plug in is just what I need. I don’t want to mess with users, just need one password to protect some pages for my members’ area.

    I have downloaded and activated the plugin, I tried a basic password, and “includes” as I have only a few pages to include at this stage.
    I included the file /member_area.php and then saved password options, and noting seems to be happening at all.

    I don’t think I’ve missed anything, can you shed any light?

    Much appreciated.

  7. @Belinda,

    The WP Password plugin only works on pages powered by WP. If member_area.php isn’t using the WP function the_content() to display the page, this plugin won’t help at all. Hope that clears up why it’s not doing anything.

  8. Thank you for the great program!

    For some reason after I installed the plug-in, I cannot access my site or my wordpress admin login. I get this message:

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Any help would be appreciated!

  9. @Jason: If you installed this and then started getting errors…er, that’s not a great program. 🙁

    What version of WordPress are you running?

  10. this plug-in is awesome,

    I am constructing a site for a group that needs to be able to “log-out” once finished with the blog as majority of the editing will be done on public computers at a university. I want to prevent someone else going onto a computer in which the site was previously logged into and thus being able to access it without having to know the password. Any ideas for a “log-out” link to place in the blog??

  11. Wanting to not allow access to (pages/posts) regardless of how someone arrives, directly or via RSS. I seem to be able to bypass the password screen via an RSS feed. Also there was a rule by default that was there when installed. It was accidentally changed and I can’t get it back, even by de-installing/re-installing it remembers the new modification. Please advise.

  12. @Andy, not aware of any problems with this and the current version of WP. Got something particular in mind?

  13. @Josh, There are instructions in here somewhere for creating a log-out link. I know I left them in one of these posts.

  14. @Jeff: RSS is definitely a problem. Someday when I’m so independently wealthy I don’t have to work for a living, I’m going to rewrite this plugin to take better advantage of WP’s existing code that comes close to the ability to do this… but doesn’t go all the way (for security reasons, I’m sure).

    The default rule should’ve been to exclude wp-admin in urls, so your access to the admin pages of WP isn’t hampered.

  15. Where can I download the newest version with css fixes? Thanks for sharing this plug in with us.


    @jana – just today I put out version 0.6.1 (it got a shiny new post and everything) to fix that problem.

  16. Hello,
    I installed the plugin, activated it, and went to the configuration page where I entered a password. I tried to open my website, and it stalls. The status bar reads “connecting” and “waiting” back and forth continuously, and it never reaches any page or displays any error. I can’t access my dashboard or the FTP folders at this point either. Any suggestions?
    Thank you,

  17. Hi. I have to report a problem: as soon as I activate the “WordPress Password” plugin, my flash-image upload stops working. My wp version is 2.9.2. Do you have a hint for me, so that I can make it work?

    Thanks, alex

  18. HELP ME
    I just locked out the blog.
    I was setting up the plug in , then made changes to it,
    after I read your page here,
    so I wouldn’t exclude the wp-admin pages.
    it saved the changes.
    now even though I have changed the plug in, the site can’t be reached. I can’t get any page, other than the ones I was at before I messed w/ this plug in.
    All attempts to do anything at all,send the browser into a seek mode, never finding the extremely long URLS the plug in has made.
    In essence I have blocked my Client’s blog!
    please send help ASAP,
    thanks K

  19. Had the same probs as some of the above – total lock out. Not even sure how to begin to fix this. This plugin should be made unavailable if support has ended and it’s not compatible with latest WP versions!

  20. bob:

    Had the same probs as some of the above – total lock out. Not even sure how to begin to fix this. This plugin should be made unavailable if support has ended and it’s not compatible with latest WP versions!

    I entirely agree. But I could find NO info from about how to do that. Frustrated.

  21. On a new/fresh install of WP, it works for us but on a copy of live board that has been upgraded of the years, it locks. Hmm. Maybe some importing is in order but that what might happen on an upgrade?

    We’ll tinker around with it and see if it will behave. Thanks.

  22. Your Password Plugin fills an important Niche.
    I need your plugin even if it isn’t perfectly secure.
    I don’t want to deal with the Htaccess files.
    Your plugin gives a quick solution for many people – that need a quick password protection, and don’t need fort knox security.

    Please reconsider keeping your development going.

    Thanks for your excellent work on your product!

Leave a comment

Your email address will not be published.