Support » Developing with WordPress » Password protected pages and logged in user

  • Hello,

    I am building a website for a customer who wish to protect the content for specified users. The problem is, it is not possible to create users for all those who visit the website, though it is possible to share with them a password. I thought of simply protecting the pages with one or more passwords. However, the client fears that some users of the website could share the password of those protected pages with unwanted users. They know specifically which users would want to share said password.

    Based on this, I would like to be able to create a few users (with login and password) who would not be required to enter the password on password protected pages, while keeping the password protected pages for the others users of the website (who would not have a login). Is it possible to not ask for the password on password protected pages for logged in users? That way it would be possible to keep an eye on the connections from the not-so-trustworthy users (as they will be logged in).

    Alternatively, I though of using different passwords for a single page (thanks to a plugin), and sharing specific passwords to specific users to be able to revoke access if needed. However, I don’t seem to find a way to know which password is used to see a page, and therefore I don’t think I can actually know if a password is shared or not.

    To sum up, I would like to either:

    • Open access to password protected pages to logged in users
    • Or keep track of password used to see password protected pages

    I am of course open to suggestions if I am missing some functionality that could help me reach my goal. I would rather not have to install many plugins, but if you know of some that could help me, let me know.

    Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    The post password functionality is built into the function get_the_content(). To alter its behavior, you’d need to get and output post content through other means. The possibility of improper sharing of the password is a legitimate concern. TBH, password protection like this is a poor security solution, only appropriate where content security isn’t really very important. And if it’s not really that important, why protect it at all? 🙂

    If you’re going to mess with different passwords for different users, you may as well have users log in and let them manage their passwords themselves through the normal processes. Then you can manage who can or cannot see certain content by user roles and capabilities. This makes for superior security. There are plugins that help you manage custom roles and capabilities. You’d still need to add custom code to check for a certain role or capability to manage output. If you only need to manage post content itself, you can use “the_content” filter. If visibility of other elements on the page need to also be managed, you probably need custom code right on the template itself.

    Thank you very much for your answer!

    I completely agree about the security of password protected content. Unfortunately the customer cannot send personalized mail with unique logins for each and every of their customer, and is persuaded that asking them to create an account themselves is too much work and they won’t bother using the site (which is a training website BTW). They still don’t want the content to be public, so the password protected pages seemed like the best solution, even if we cannot make sure the passwords won’t be shared. And then came the problematic of these 2 specific customers they are convinced will share the password…

    In any case, thanks for your answer! I will see if I can play with get_the_content() and custom roles to open access. If not, I guess they should decide what “risk” they are willing to take!

    Moderator bcworkz

    (@bcworkz)

    The added problem of a page password getting inappropriately distributed is that they must then change the password and notify all legitimate users of the new password. Shared passwords are problematic any way you look at it. I sympathize with the concern of the registration process being a barrier to attracting new clients. I often abandon registrations myself if the site is collecting PII and the desired information isn’t that important to me.

    The security of the WP registration could be weakened by removing the email verification requirement. Users would only need a username and self-supplied password to register. They can remain anonymous, no PII. The coding needed to do so gets a bit involved, but it’s doable. Still a barrier, but pretty minimal.

    Another possibility would be to take measures to help ensure the content doesn’t get picked up by search engines, but leave the pages fully open to all. The pages could be an isolated section of the site with no inbound links. End users would need to know the actual URL to one of the pages in order to see content. Browsing or searching the main site wouldn’t get them there. In a sense, the URL becomes the shared password.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.