I recently used the built in WordPress protected visibility status in a project where information security was very important. This handy and little used feature does a great job securing content and providing user access on a basic level but has some pretty serious security holes if you hope to use it for anything more advanced. These include:
- The identification cookie is stored in the users browser insecurely
- The identification cookie is stored for 10 days without requiring the user to re-enter the password
- Only the post content is protected, any additional meta on the page will be visible to unauthenticated users
I am only going to be covering the last of these issues today. If you are interested in hearing how I solved the other issues, let me know and I can do a follow up.
The Template Solution
The solution that I landed on to protect ALL post content is to run a check on template_redirect. If the current post is password protected and the user does not have an authentication cookie, then use a different template (which we will create) that only returns the_content(). This way, WordPress will only show the login form and not any of our custom meta. Your function should look something like this:
It is important to note that this solution is intended for single post pages. If you have custom meta that shows on the home or archive page, you will want to take this concept, but instead of using the template_redirect hook, run a check in your archive loop and use a different template accordingly.
Our Custom Protected Template
Now let’s create the template that the protected page will use. I have a pretty bare sample below. I would recommend duplicating the template you are using for single content and remove all the custom fields, only leaving the_content(), this is what is used by WordPress to display the login form.
Here is my example:
That’s all, now your entire post content is safe. As always, please leave any comments or questions below.