I recently used the built in WordPress protected visibility status in a project where information security was very important. This handy and little used feature does a great job securing content and providing user access on a basic level but has some pretty serious security holes if you hope to use it for anything more advanced. These include:
- The identification cookie is stored in the users browser insecurely
- The identification cookie is stored for 10 days without requiring the user to re-enter the password
- Only the post content is protected, any additional meta on the page will be visible to unauthenticated users
I am only going to be covering the last of these issues today. If you are interested in hearing how I solved the other issues, let me know and I can do a follow up.
The Template Solution
The solution that I landed on to protect ALL post content is to run a check on template_redirect. If the current post is password protected and the user does not have an authentication cookie, then use a different template (which we will create) that only returns the_content(). This way, WordPress will only show the login form and not any of our custom meta. Your function should look something like this:
It is important to note that this solution is intended for single post pages. If you have custom meta that shows on the home or archive page, you will want to take this concept, but instead of using the template_redirect hook, run a check in your archive loop and use a different template accordingly.
Our Custom Protected Template
Now let’s create the template that the protected page will use. I have a pretty bare sample below. I would recommend duplicating the template you are using for single content and remove all the custom fields, only leaving the_content(), this is what is used by WordPress to display the login form.
Here is my example:
That’s all, now your entire post content is safe. As always, please leave any comments or questions below.
This seems to be exactly what I need for my situation. I have a heavily customized template that I am using for many pages for different teachers to log into. It is password protected, but the caveat is that I have no the_content() at all in the page. The only thing that exists in WP Admin is a page with no content listed. Therefore, I need another way to block the content until a password is present. I created a template page called protected.php and placed it in my child theme top level. I then placed the function in my functions.php (again, using a child theme functions.php), but I still get no change. What am I missing here? Thanks.
Mike
Hey Mike! I just updated the files here as I realized some of the info had disappeared. The important piece that was gone is that the protected.php template needs to have the_content() in it. This is what WordPress uses to show the password form. Let me know if this works.