Password Protect your Entire WordPress Site

You can block access to your entire site

I’m currently working with a client whom I’m creating an intranet site for. The site needs to be completely secure from anyone who isn’t logged in.

The standard WordPress privacy options do not allow for a blanket protection over your site, but with a minor modification, you can force a user to log in before they will see anything.

Create the function

We’re going to use a simple snippet that will check whether a user is logged in every time a page tries to load. It will check it before it loads the page, so there is no chance that the content will appear.

This function can be put into your theme’s functions.php file, or more preferrably, your functionality plugin:

Now, whenever someone tries to load a page, they’ll be redirected to the login screen. If they log in successfully, they’ll automatically be redirected to the page they were trying to reach, thanks to the auth_redirect function.

Other considerations

Bear in mind that just because it can’t be seen on the screen at your site, doesn’t mean it can’t be seen altogether. You need to consider your RSS feed, sitemap, robots.txt file, pingbacks and trackbacks and any other ways in which you might be distributing your content. You can kill the RSS feed altogether using wp_die. Also make sure that users can’t register for your site, by unchecking the option in Settings > General.

26 thoughts on “Password Protect your Entire WordPress Site”

  1. Paul Salmon says:

    That is an interesting piece of code. I have seen people ask how they can limit access to a WordPress blog to only specific users. I think such could would work well in that situation, mainly because you can then control who has access to the content.

    As you mentioned, of course, you will need to think about other aspects of how you distribute the content.

    1. Yeah, you can change the conditional statement to query whether the user is of a specific role instead to only allow access to them. It’s a powerful little snippet.

  2. One of the old tricks I remember from the early days of the ‘net was to get past the login page to the information behind it via a Google search. The login page was just a gateway and once past people had free reign. What I like about the approach in this article is that it is pretty decent security, making it much more difficult for people to see your content.

    If you’re ever in the mood to see what the effect of poor security is, just Google “Confidential do not distribute” and poke around in the tens of thousands of responses. There’s some interesting reading there!

    1. Hehe, oh yes, the good old days. This method will prevent Google from being able to see anything, but you can also use robots.txt to block access from spiders like Google et al.

  3. Jim Jenks says:

    Can you do this only to certain parts of your website pretty easily?

    1. Sure, by using conditionals statements (i.e. is_single or is_category), you can very easily set it to work only on specific parts of your site.

      1. Jim Jenks says:

        Ok thanks, I’ll have to play around with that a little bit. I’m still in the beginning stages and trying to learn as much as possible.

  4. I like this piece of code – clean, concise, and gets the job done nicely!

    In the past I had recommended a simple plugin that handled this functionality, but for a number or reasons it was not optimal (i.e, the plugin wasn’t update in quite a long time, it only required an email address, not a password so security strength was not as good, and of course, an extra plugin can slow things down!

    Thanks for posting this!
    Be Well.
    Paul.

    1. Hmmm, yes, relying on just an email address doesn’t seem very secure. I prefer this method as it relies on an existing system, which is already very secure to provide the authentication. Thanks for your comment

  5. Paul says:

    The best solution I’ve found is to password protect at the root, server level. One little extra step during sign in is no big deal, and the feeling of extra security is great. If you don’t get past the server, you won’t get very far!

    1. And what does that entail? How would you go about doing that?

      1. Jason B says:

        Just depends on the web hosting provider. I use Globat (but I’m sure others are similar). I can easily set usernames and p/w on a per directory basis.
        Also one of the reasons why I switched to wordpress from blogger when they made self hosting blogs obsolete.

        I like keeping separate blogs: 1 for my public posts and another for journal, snippets, notes, etc.

        Btw great code. Thx for sharing. It will come in handy for me with certain areas of my blog.
        (ッ)-b

        1. Well, yes, most web hosts offer that functionality, but this integrates it with WordPress, especially if you’re creating a site where you’re already going to be creating user accounts. Furthermore, everyone has their own passwords, so if you need to remove access for one person, you don’t need to change the password and tell everyone. This is a much cleaner method, unless you’re the only person that needs to access the site.

  6. John Huner says:

    This is very nice. It would be a very simple way to deal with staging a site for approval before making it public.

    Also, FYI, when I tab between fields (like enter my email then press tab) it jumps me to the top of the page. Firefox on Mac.

    1. Are you referring to when you’re leaving a comment on my site? I’ll have to look into that if so

  7. Dave, I know that somebody is trying to crack my site because my Admin keeps getting locked out by the LockOut plugin, due to too many attempts to log in. It prevents log in, but gets me (one of me, at least) locked out.

    1. It might be worth looking into restricting the login page and admin area to only certain IP addresses to block these outside attempts. Or, if you use Simple Login Log, you can see the IP of the person trying to access your site.

  8. Ankul Barar says:

    Hey Dave,
    I just have a small question! Can this be done by excluding the homepage and when someone tries to go beyond that a pop up opens for login. Is it possible?

    1. Of course. You could just use a conditional tag (such as is_home) to only apply the auth_redirect rule on certain pages. For example:

      function protect_whole_site() {
      if ( !is_user_logged_in() && !is_home() ) {
      auth_redirect();
      }
      }

      add_action ('template_redirect', 'protect_whole_site');

      1. Ankul Barar says:

        So this will allow me to open the home page but not any other page right ? Also will Google be able to crawl the site after this after the whole site is protected?

        1. No, Google will not be able to crawl the site because before each page is rendered, WordPress will check whether the user is logged in and present the login screen if they’re not, so it will only be able to crawl the homepage, which will be the only page visible with this code.

  9. John says:

    Can you post a link to a working example of this?

    1. One of my client’s sites is an internal intranet site that is wholly protected by password access: http://intranet.kawasumiamerica.com/

  10. Kevin C. says:

    Sweet. I’ve combined this with a constant set in wp-config, WP_ENV. If the constant is set to “stage,” then it requires a login to view the site. This helps us keep multiple environments for rolling out updates.

  11. Eric says:

    Wow, nice. No htaccess crap, wonderful.

  12. Quite a mess of different hacks and plugins to solve this problem.

    There several solutions given on wordpress stackexchange ‘Restrict wordpress to private’, where we can vote up the best answers.

    The RSS feed is one complication to check for. Another follow up problem I hit was… giving lots of users the password to a ‘guest’ account has the problem that someone can screw things up by changing the password to that account.

Leave a Reply

7ads6x98y