Members Only is a WordPress plugin that allows you to make your blog only viewable to visitors that are logged in. If a visitor is not logged in, they will be redirected either to the WordPress login page or a page of your choice. Once logged in they can be redirected back to the page that they originally requested. You can also protect your feeds whilst allowing registered user access to them by using Feed Keys.
- Fixed a problem when there is no Feed Key with a call to an undefined function
add_usermeta. Changed it to the correct
- New Feature: Added redirection option for users who login directly to
wp-login.php. You can now choose to redirect them to the Front Page or to the Dashboard as normal.
- New Feature: Added the ability to grant a one-time view to your blog from an Administrator’s IP address allowing XML RPC applications, such as WordPress for iPhone to be able to login.
- New Feature: Added the ability for Administrators to remove a User’s Feed Key as well as reset it.
- Fixed a problem with Feed Keys not working in all situations due to a typo.
- New Feature: Added the option of requiring Feed Keys even if the user is logged in.
- Changed the way Feed Key errors are display to the user. They no longer are displayed as a WordPress Error, Members Only now creates an RSS feed with the error in it.
- Fixed a bug where redirection to
wp-login.phpcaused a redirect loop when WordPress was installed in different folder to the site URL.
- Fixed some admin page style issues with versions previous to 2.5
- New Feature: Added Feed Keys to give users unique URLs for your blog’s feed.
- Added the display of a user’s Feed Key in their profile, and you can choose whether they can reset it or not.
- Rewritten how feeds are protected by Members Only in order to use Feed Keys.
- Improved setup function for future development and features.
- Improved where how function behaves when Members Only is turned off rather than the plugin is deactivated.
- Fixed a bug where redirecting to a specific page was causing an endless redirection loop.
- Simplified redirection logic and made it simpler. Using
template_redirectno longer requires the plugin to exclude
xmlrpc.phpor anywhere in
wp-adminfrom being inaccessible, or to check if page is a 404.
wp-feed.phpto the list of files in the function that restricts access to feeds.
sprintffrom the variable that gets the current URL.
- Added functionality making RSS feeds inaccessible. Calling the plugin at
wp_headin previous versions made the feeds accessible without being logged in.
- Added the ability to toggle whether RSS feeds are accessible to the settings page.
- Changed where the plugin is call from
template_redirectwhich fixes an error where in some situations WordPress would give an error saying
Warning: Cannot modify header information - headers already sent...
- Rewrote some functions in the plugin to make them tidier.
- Improved security on checking URLs. Replace all
preg_matchand replaced with
strposexcept checking for wp-admin URLs.
- Added checking for 404 pages. They now redirect to the login page too.
- Change where the plugin is called from
wp_headotherwise 404 pages can’t be redirected. If this causes problems, like the ‘Cannot modify header information’ error you can change this back to
initbut a 404 page will be able to be seen as normal.
- Actually fixed the critical flaw in the
preg_matchused to check the url highlighted by mrgreen. The fix in 0.4 didn’t work full as you could still add the full url of wp-login.php as a variable and bypass the check. The
parse_urlto only check only the path of the url and nothing else. All users using Members Only should upgrade to version 0.4.1 as soon as possible to avoid this flaw being taken advantage of.
- Fixed a critical flaw in the
preg_matchused to check the url highlighted by mrgreen. All users using Members Only should upgrade to version 0.4 as soon as possible to avoid this simple flaw being taken advantage of.
xmlrpc.phpfrom being protected by Members Only.
- Tweaked Settings Page to suit WordPress 2.5
- Fixed an error where in some situations WordPress would give an error saying
Warning: Cannot modify header information - headers already sent...
wp-admin/*from being protected by Members Only.
- Exposed the page the visitor original requested so it can be used as a global variable (
- Added the ability to specify the page to redirect to, and the ability to turn off the redirection to the requested page.
- Initial release.
The settings for Members Only are extremely simple. You have a check box that will toggle whether your blog can be access by visitors with or without logging in. The default setting allows visitors to visit your blog as normal.
If you choose to make your blog only accessible to visitors that are logged in, a visitor that isn’t logged in will be redirected to either the WordPress login page or a specific page of you choice. This choice can be selected via a drop down menu. You can enter the specific page to redirect to at the bottom of the options page, but if this field is left blank, visitors will be redirected to the login page instead
If you chose to redirect to the WordPress login page, you can also decide whether once the visitor has logged if they will be redirected back to the page that they originally requested. This can be toggled with a check box.
You can also choose how you protect your feeds on you blog. You can choose either requiring Feed Keys, require users to be logged in or have your feeds open to all. Feed Keys allow your users to access your feeds using feed readers or other things that don’t login to WordPress.
Members Only can also protect you feeds in two ways. You can either require user’s to be logged in to the site to be able to access your feeds, require users to use Feed Keys to be able to access your feeds or have no protect on your feeds allowing anyone to access your feeds.
What are Feed Keys?
Feed Keys, are unique 32bit keys that are added to your blog’s URL in order to give every registered user a custom feed URL.
A Feed Key looks something like this:
This is then appended to the feed url for your user in their User Profile, like the examples below, either without permalinks…
…or with permalinks
When a user visits a feed on your site, Members Only checks to see if there is a Feed Key in the query section of the feed URL and checks whether it is stored in the @wp_usermeta@ table of your WordPress database. If it finds the Feed Key in the database it allows access to the feed, otherwise it presents the user and error. An error will also be give if no Feed Key is found in the feed URL.
How and When are Feed Keys Generated?
A Feed Key is generated by creating a 32bit random alpha-numeric-case-insensitive string that is then hashed against the user’s username, insuring that no two users can ever have the same.
Feed Keys are generated when the user logs in to your blog. If they don’t have a Feed Key, one generated for them and stored in the
wp_usermeta table in your database, otherwise they will use the one that is already stored in the database. An admin can also manually generate a Feed Key for a user by visiting there user profile and choosing the option.
If you allow it, users can also reset their Feed Keys from their user profiles or you can leave this to Admins.
Members Only now allows an Administrator to grant a one-time view from there own IP address. The IP is hashed with md5 and stored in the Members Only settings. Once the next visit from that IP address is recorded, the IP address is removed from the settings and your WordPress blog is protected as before.
XML RPC applications, such as WordPress for iPhone and other third-party blog editors to login to the site for the first time. Subsequent visit from these editors don’t require this visit as they know where the
xmlrpc.php file is, and this isn’t restricted by Members Only.
No known issues at this time.
If you find any bugs or want to request some additional features for future releases, please log them the projects tracker page
This section describes how to install the plugin and get it working.
- Download the archive and expand it.
- Upload the members-only folder into your wp-content/plugins/ directory
- In your WordPress Administration Area, go to the Plugins page and click Activate for Members Only
Once you have Members Only installed and activated you can change it’s settings in Settings > Members Only.