It is most likely to do with their aggressive caching.
I current don;t know of a way to resolve this, but it might be worth contacting WPEngine support to see if there is a way to disable their page caching in certain scenarios.
I have been in contact with WP Engine and due to the way their hosting caches pages it is not possibly to implement password protection robustly.
They have suggested that I could implement a JavaScript layer to do redirect non logged in users away from a protected page but a user could obviously get round this by disabling JavaScript in their browser.
They have shown me how I can detect wether a site is hosted with WP Engine, so what I will do is implement this JavaScript detection but also show a message to WP Engine users in the admin to make them aware that due to their hosting the plugin will not robustly protect their site. I’ll also flag this up in the read me.
Kind regards
Ben
Thread Starter
mmatty
(@mmatty)
That sounds great. We don’t need a robust, military-grade protection. Just a little hurdle..
Do you have any idea when you’ll be able to implement it? Anything I can do to help out?
I might have chance this weekend?
I will post updates here:
https://github.com/benhuson/password-protected/issues/19
Thread Starter
mmatty
(@mmatty)
is it possible to commission you to do it super-fast?
[btw, I couldn’t test it, but we’re going to use it with woocommerce, and I’m assuming it will not conflict with the cart and with people registering-when-checking-out. Do you see any problem with working with them together?]
It shouldn’t conflict.
It would just be a bit of Javascript on each page that checks if a cookie has been set by the login.
I’d emphasise again that this is only a very superficial fix. If a user disables javascript they’ll be able to see pages, won’t be asked to login. And the JavaScript will only check that the cookie has been set (ie logged in) – it won’t do any comprehensive tests to check the cookie was set by the current password (ie if you change the password in the admin current users won;t be logged out until the cookie expires).
I don’t have any time available until the weekend but email me if you’d like me to look at it then.
