Support » Plugins » Alternative to password-protection for light security?

  • I am setting up a wedding website using WordPress which the clients have requested to be semi-private. In other words, they don’t want just anyone to be able to see the site, but they don’t want guests to have to remember a password to see it either.

    The simple solution is to have first-time visitors (no cookie set yet) to be sent to a page that asks them to choose the name of the bride and the groom, say, from two drop-down lists. This is all the security required — doing so would set a cookie, so that future visits would not require such a “log in.” At the same time, the site would provide reasonable privacy from googlers etc. — though not extremely persistent people. But that’s enough privacy for them.

    Are there any WordPress plugins or installations that provide this kind of “challenge-response” security already? I imagine I could try to do something like this in PHP, but I’m not really a PHP programmer. Is there a framework similar to this setup somewhere I could alter?

    Any help would be appreciated!

Viewing 15 replies - 1 through 15 (of 17 total)
  • I recommend you set up a simple .htaccess password system. Just put a message that says to use bride for username and groom for password or something like that. You won’t need to touch the wordpress files that way

    So, keep your wordpress in it’s own directory, it will make this sooo much easier.

    For the main page on your site, put a link to visit the wordpress blog, and a message that they will need to use the first names of the bride for user and groom for password.

    now put a file (or add to the one that’s there) called .htaccess and put this in it.

    AuthUserFile .htpasswd
    AuthGroupFile /dev/null
    AuthName FRIENDS
    AuthType Basic

    <Limit GET POST>
    require valid-user

    then create a file called .htpasswd in the wordpress dir and put this in it:


    Substitute bride for the actual brides name, keep the colon, and substitute 342jkhl34kjh for the groom’s name converted to md5. You can use to enter the groom’s name and get the proper encrypted version.

    If the above has been done correctly, when they go to visit the site, a box will open up for their user and password. Their own browser settings will determine if the user/pass is remembered when they come back next time.

    You could simply password-protect the whole blog and allow only the guests to view the content. This can be achieved by locking the content and creating registered blog user(s) (no new news here).

    Hence you could just create one default guest blog user account with the password (or login) being the bride’s or groom’s name. Or you can let the guests registered themselves on the blog and set a default password to the one suggested above, if you want them to leave individual comments on the blog.

    There is a plugin called Angsuman’s Authenticated WordPress plugin which serves content to registered users only.

    Those are both great suggestions. Unfortunately, the clients would prefer a solution that doesn’t *look like* a password — also I think they’re afraid requiring one might scare off some of the less-sophisticated guests, since password popups still ask for “Username” and “password,” not “bride” and “groom.” They thought a simple mock-wedding invitation where you chose the name of the bride and groom from a popup menu wouldn’t make them look needlessly fussy (most wedding sites are public, after all). And silly me, I thought it wouldn’t be too difficult . . .

    I’ll take a look at the Angsuman’s Authenticated plugin. Maybe it could be altered to have the authentication served up by a PHP page? Or is there a simpler way?

    So how long is this site going to be up? In order to keep the public away, all you really need to do is make sure that no posts etc. are pinging services, and default the whole install to “don’t ping”.

    There’s really not much way for the general public to find a fairly private site. And with that in mind, might I suggest you wander on over to, and check out a hosted blog there where you can select as you acquire one that it should be “mostly” private….

    [Edit: entering one caveat…. most people these days understand the need for username and password to access quasi-private sites. I’m not sure of course of the general user-level (as to computer/internet acuity, I mean) of the bride’s and groom’s contacts, but unless these people are a: EXTREMELY public people (ala Tom Cruise and whatsherface and the kid); b: EXTREMELY wealthy (Warren Buffet?); c: much older, and with little ‘net experience (and their friends and family are ditto) – I just can’t see how entering the bride’s name or groom’s name for the password etc. can be a huge problem. Maybe you need to revisit the whole scenario with them?]

    Adding to vkaryl’s first suggestion (no pinging), you should also put a Robot.txt file which tells Google and other search engines to ignore your page / folder / URL. Look up how to make Robot.txt on google, it’s easy. Without this, Google might index your site even if you don’t ping; for example, google finds the URL if one of the wedding guests links it on another site or posts it on a forum.

    More generally… I think it’s funny how we, on the forum, sometimes tell the person they shouldn’t do what they want, instead of trying to help accomplish what they want; probably more because our knowledge doesn’t satisfy the question, not that the question was necessarily hard in the first place. Dougo, personally I can see many reasons why you might want to do what you asked for, and I think you should pursue it as do-able (simple, probably — if you think about Online Quizes where, if you give the Right answer you go to the next question > if you give the Wrong answer you get sent to a You Lose page).

    ? I wasn’t telling the OP he shouldn’t do what he wants – just pointing out that for a site which might be up only 2 or 3 months, there’s absolutely no need to jump through flaming hoops…. unless the client is someone like Warren Buffet or Harrison Ford (in which case, lucky web designer – or not…. money doesn’t actually make up for everything….)

    In a couple of months, very little is going to land in the SEs that will damage anything. Just ask anyone who’s TRYING to get a decent listing on the SEs in a couple of months.

    ok, here’s a dumb suggestion. put up a page of links. sally & bob, jane & joe, grizelda and gilgamesh, etc. click the wrong link, you go to or sesamestreet or whatever. click the right one (the couple’s names), you go to the blog. combine that with a robot.txt file to stop the indexing, and you’ve it sort of hidden from casual surfers. you could also make that popup lists if you prefer.

    there is a conflict between wanting some privacy, but not authenticating viewers. I think doing something unusual for this will actually be more difficult for the novice users that you’re concerned about. because it’s so common to have to enter a user/pass on the net, i really believe this will be better understood than an unconventional method. I design websites for a living (I bet a few of us can be confused of that!), and based on my experience with many computer phobic folks (many of my customers), a standard password system is easily understood by all of them. I’m just offering that as food for thought. I’m suggesting that your efforts to make it easier may have the opposite effect if you’re not careful.

    Everyone: Thank you for the suggestions and interesting discussion. I think the robot.txt and no-pinging suggestions especially are very good and I will certainly implement them, though I don’t think that they’ll solve the entire problem by themselves. The clients said they wanted the site to be up for a year or so (for photos and thank-yous after the fact), certainly long enough to gain some links and as a result, indexing from search engines, which is what they said they didn’t want. They aren’t celebrities or super-rich people by any means — mostly I think they just want their site to be visible to its intended audience only. Having two popups listing maybe 15 names each means maybe just a mild deterrent to people who really want to get by the curtain (15×15=225 possible combinations), but mostly it should keep out search engines even after somebody links.

    I’m going to work a little and outline the logic behind the code I’m envisioning so it’ll become more clear, and maybe someone who knows PHP better than I do (that’s most people here, I presume) can help me figure out how to code it, or figure out what template to attach it to, since it sounds like there isn’t a ready-made solution for this “mild security” situation.

    Okay, here’s a rough outline of the PHP programming I think would be necessary to accomplish what these people want. I apologize in advance for the pidgin flowchart language. As I look at it, the problem seems pretty trivial. So I’d appreciate some help: would this work? Any logic or coding help would be appreciated.

    In Header of every page (WordPress header file for template):
    PHP code that asks:
    Is “knowscouple” cookie set?
    If no, redirect to Invitation page.
    If yes, proceed with serving this page.

    Invitation page:
    This page is a form, which sends results to a page called ProcessInvitation.
    Form looks like a wedding invitation, but in place of bride & groom’s names are two popup menus.

    ProcessInvitation page
    PHP code that asks:
    Do the values for bride and groom match the actual names of bride and groom?
    If no, redirect to some other page (maybe a search-engine page with “wedding” and chosen names as arguments).
    If yes, set the “knowscouple” cookie, and redirect to home page.

    I think that’s it. Am I missing anything?

    that looks like it would function.

    that should also block the google’s of the net from indexing the site actually

    So I’ve been studying my PHP books and I think I can code all of this . . . except one small part still confuses me. How do I do the “redirect”? Both the one in the header of every page and the ones in the ProcessInvitation page (as outlined above)?

    From what I’ve read online, there’s a javascript method for redirects, but I’d rather not rely on that. Maybe it’s not an actual “redirect” I’m after. It’s more of a “stop processing this PHP script immediately and go to this one instead.” Any hints on how to do that?

    Hmm. Would that be the “exit;” function? Not sure, I think I need to go back to php school….

    all you need do is put a php if in your theme’s index.php.

    you’re testing for the cookie. if you got it, return the everything already in the index.php

    if no cookie, return the invitation page.

    no redirects needed.

    um, it occurs to me you are thinking in terms of separate pages. although it may have different content, it’s probably easiest to generate each different page of content from the same place, your index.php in your theme. this will be upgrade proof should you update wordpress at any point.

    Thanks! That would mean index.php would become a giant if-else statement, with most of the page stuck after the else, right?

    That solves only half the problem, though. How do I deal with the redirects required by the ProcessInvitation page? One goes back to the index.php page; the other sends users elsewhere.

    Okay, here’s an attempt to place all the logic in one file, the header.php file. There are still a couple of logic structures I’m having trouble with, plus (alas) one redirect I dunno how to do. I’ve marked them in my pseudo-code. Here goes:

    If “knowscouple” cookie has not been set
    {If form has been submitted,
    {If the values for bride and groom do not match the actual names of bride and groom
    {Set “knowscouple” cookie to null and redirect to some other website (maybe a search-engine page with “wedding” and chosen names as arguments). HOW???}
    Else (values do match)
    {set the “knowscouple” cookie, and continue processing header or go back to start of file. HOW???}}
    Else (form has not been submitted)
    {display the form, which looks like a wedding invitation, with two popup menus in place of the bride & groom’s names. Stop all further processing of index.php. HOW???}}
    Else (“knowscouple” cookie has been set)
    {continue with rest of header}

    I’d appreciate any help with the three marked problems!

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Alternative to password-protection for light security?’ is closed to new replies.