Prevent careless visitors by locking your site down with a PIN
If you log into WordPress, you don't need a PIN.
No, search engines won't index the site while it's locked with a PIN.
No, it can be any number of digits. In fact it can use numbers, letters and punctuation like any password, but people are in the habit of thinking of a PIN as a few digits.
Immediately change the PIN, and disable that person's user if they have one. And be more careful in the future!
Note that even the lowest level of user (typically Subscriber) still has access to the site, so you have to disable somebody's account entirely to stop them logging in.
Yes, you can set a custom message to display on the PIN entry screen. But giving a hint can be dangerous because an attacker may be able to work it out. An example of a bad PIN would be something like "our address" or "the year the company was started" since that's information anybody could find out. A better hint might be "the same as the PIN on the warehouse door" because only employees should know that.
Only administrators can change the PIN. Any contributor can see the PIN.
If you want to adjust WordPress' permissions with code of your own, the ability to edit the PIN uses the
permission while the ability to read the PIN uses the