WordPress Password-Protected Posts

Following are a few quick tips for working with the built-in functionality to password-protect pages and posts in WordPress. WordPress allows you to add a password to any post or page, and hides the content of that entry until the visitor enters the appropriate password. Each password-protected page has its own unique password, and only one single password is used for that page (as opposed to “Private” pages, which require a user to be logged in with their own username and password for the site).

Providing the Password

When you first create the post, and modify the “Visibility” to make the post password-protected, you need to enter the desired password. However, I’ve noticed that the password is not automatically escaped quite the way you would probably expect (this may be a bug or it might simply be a limitation of the functionality, I’m not sure). Therefore, if the password you provide includes an apostrophe, you will need to escape that apostrophe with a back-slash when setting it for the post.

If you do not escape the apostrophe, WordPress will save the password without generating any visible errors. However, when visitors try to enter that password to view the post, they will get an error message indicating that the password was entered incorrectly.

As an example, if you want to use the password “jqu5'ay83” on a post, you will need to enter it as “jqu5\'ay83” in the post editing screen in order for it to work properly when the visitor enters it.

Verifying the Password Has Been Entered

Sometimes, you may have additional functions and features built into your theme that display extra content. For instance, in one of my themes, I have a function set up to display the list of attachments at the bottom of the page. Unfortunately, however, if the page is password-protected, that content will still display on the page by default, even if the password has not yet been entered.

To avoid this, you can use the built-in WordPress function “post_password_required().” The post_password_required() function was introduced with WordPress 2.7 and checks to see if a password has been set for the page. If no password has been set, it returns boolean false. If a password has been set, the function then checks to see if the appropriate cookie has been set, indicating that the correct password has already been entered and the post content should be shown. If the cookie is set, the function returns boolean false. If the cookie is not set, the function returns boolean true, indicating that the password still needs to be provided.

Therefore, you might use something like the following in your theme file.

if(!post_password_required($post->ID)) {
    // Do stuff that should only happen if the post is unprotected

Change the Default “Password-Protected” Warning Text

The default text that WordPress displays on a password-protected page is not extremely well-written. Therefore, a lot of people may choose to alter and customize that text. To do so, you simply need to add a new filter to your theme’s functions.php file.

The code you need to add is explained in a blog post by Peter Steinberger.

Removing the Duplicate Password-Protected Default Text

Another minor annoyance is the fact that, within the default WordPress theme (at least, the default WPMU theme; I believe it’s also in the default WordPress theme), the password-protection warning is basically duplicated. Above the password input box, you will see the WordPress-generated warning indicating that the post is password-protected, and asking you to enter the password before you can view the post. Then, under the password input box, you will see a second, very similar warning, explaining that you can’t view the post’s comments until you enter the password.

To remove this text, simply modify the Comments template (comments.php) and remove the following (this code block may differ based on the template you’re using).

	if ( post_password_required() ) { ?>
		<p class="nocomments">This post is password protected. Enter the password to view comments.</p>

2 Responses

  • George

    Ha – I spent the whole of yesterday afternoon working out this very solution. Wish I had seen you excellent article. Perfect – thank you very much!

  • The password protection for posts is a very useful feature, but certainly needs customisation. I can’t seem to find any documentation as to how to identify a post is password protected. There must be an attribute flag set somewhere, but I can’t find it!