I’m currently working with a client whom I’m creating an intranet site for. The site needs to be completely secure from anyone who isn’t logged in.
The standard WordPress privacy options do not allow for a blanket protection over your site, but with a minor modification, you can force a user to log in before they will see anything.
Create the function
We’re going to use a simple snippet that will check whether a user is logged in every time a page tries to load. It will check it before it loads the page, so there is no chance that the content will appear.
This function can be put into your theme’s functions.php file, or more preferrably, your functionality plugin:
function protect_whole_site() {
if ( !is_user_logged_in() ) {
auth_redirect();
}
}
add_action ('template_redirect', 'protect_whole_site');
Now, whenever someone tries to load a page, they’ll be redirected to the login screen. If they log in successfully, they’ll automatically be redirected to the page they were trying to reach, thanks to the auth_redirect function.
Other considerations
Bear in mind that just because it can’t be seen on the screen at your site, doesn’t mean it can’t be seen altogether. You need to consider your RSS feed, sitemap, robots.txt file, pingbacks and trackbacks and any other ways in which you might be distributing your content. You can kill the RSS feed altogether using wp_die. Also make sure that users can’t register for your site, by unchecking the option in Settings > General.
March 19, 2012 at 10:16 am
That is an interesting piece of code. I have seen people ask how they can limit access to a WordPress blog to only specific users. I think such could would work well in that situation, mainly because you can then control who has access to the content.
As you mentioned, of course, you will need to think about other aspects of how you distribute the content.
March 20, 2012 at 7:47 am
Yeah, you can change the conditional statement to query whether the user is of a specific role instead to only allow access to them. It’s a powerful little snippet.
March 19, 2012 at 2:59 pm
One of the old tricks I remember from the early days of the ‘net was to get past the login page to the information behind it via a Google search. The login page was just a gateway and once past people had free reign. What I like about the approach in this article is that it is pretty decent security, making it much more difficult for people to see your content.
If you’re ever in the mood to see what the effect of poor security is, just Google “Confidential do not distribute” and poke around in the tens of thousands of responses. There’s some interesting reading there!
March 20, 2012 at 7:49 am
Hehe, oh yes, the good old days. This method will prevent Google from being able to see anything, but you can also use robots.txt to block access from spiders like Google et al.
March 21, 2012 at 12:24 pm
Can you do this only to certain parts of your website pretty easily?
March 21, 2012 at 6:23 pm
Sure, by using conditionals statements (i.e. is_single or is_category), you can very easily set it to work only on specific parts of your site.
March 23, 2012 at 12:01 pm
Ok thanks, I’ll have to play around with that a little bit. I’m still in the beginning stages and trying to learn as much as possible.
April 17, 2012 at 10:54 am
I like this piece of code – clean, concise, and gets the job done nicely!
In the past I had recommended a simple plugin that handled this functionality, but for a number or reasons it was not optimal (i.e, the plugin wasn’t update in quite a long time, it only required an email address, not a password so security strength was not as good, and of course, an extra plugin can slow things down!
Thanks for posting this!
Be Well.
Paul.
April 17, 2012 at 2:16 pm
Hmmm, yes, relying on just an email address doesn’t seem very secure. I prefer this method as it relies on an existing system, which is already very secure to provide the authentication. Thanks for your comment
April 18, 2012 at 2:48 pm
The best solution I’ve found is to password protect at the root, server level. One little extra step during sign in is no big deal, and the feeling of extra security is great. If you don’t get past the server, you won’t get very far!
April 19, 2012 at 9:08 am
And what does that entail? How would you go about doing that?
April 26, 2012 at 7:54 am
Just depends on the web hosting provider. I use Globat (but I’m sure others are similar). I can easily set usernames and p/w on a per directory basis.
Also one of the reasons why I switched to wordpress from blogger when they made self hosting blogs obsolete.
I like keeping separate blogs: 1 for my public posts and another for journal, snippets, notes, etc.
Btw great code. Thx for sharing. It will come in handy for me with certain areas of my blog.
(ッ)-b
April 27, 2012 at 12:00 pm
Well, yes, most web hosts offer that functionality, but this integrates it with WordPress, especially if you’re creating a site where you’re already going to be creating user accounts. Furthermore, everyone has their own passwords, so if you need to remove access for one person, you don’t need to change the password and tell everyone. This is a much cleaner method, unless you’re the only person that needs to access the site.
April 27, 2012 at 12:04 am
This is very nice. It would be a very simple way to deal with staging a site for approval before making it public.
Also, FYI, when I tab between fields (like enter my email then press tab) it jumps me to the top of the page. Firefox on Mac.
April 27, 2012 at 12:02 pm
Are you referring to when you’re leaving a comment on my site? I’ll have to look into that if so
April 27, 2012 at 9:20 pm
Dave, I know that somebody is trying to crack my site because my Admin keeps getting locked out by the LockOut plugin, due to too many attempts to log in. It prevents log in, but gets me (one of me, at least) locked out.
April 29, 2012 at 11:45 am
It might be worth looking into restricting the login page and admin area to only certain IP addresses to block these outside attempts. Or, if you use Simple Login Log, you can see the IP of the person trying to access your site.
November 8, 2012 at 4:55 am
Hey Dave,
I just have a small question! Can this be done by excluding the homepage and when someone tries to go beyond that a pop up opens for login. Is it possible?
November 8, 2012 at 9:30 am
Of course. You could just use a conditional tag (such as is_home) to only apply the auth_redirect rule on certain pages. For example:
function protect_whole_site() {if ( !is_user_logged_in() && !is_home() ) {
auth_redirect();
}
}
add_action ('template_redirect', 'protect_whole_site');
November 8, 2012 at 11:19 pm
So this will allow me to open the home page but not any other page right ? Also will Google be able to crawl the site after this after the whole site is protected?
November 12, 2012 at 9:05 am
No, Google will not be able to crawl the site because before each page is rendered, WordPress will check whether the user is logged in and present the login screen if they’re not, so it will only be able to crawl the homepage, which will be the only page visible with this code.
March 26, 2013 at 7:45 pm
Can you post a link to a working example of this?
March 27, 2013 at 8:48 am
One of my client’s sites is an internal intranet site that is wholly protected by password access: http://intranet.kawasumiamerica.com/
April 9, 2013 at 6:54 pm
Sweet. I’ve combined this with a constant set in wp-config, WP_ENV. If the constant is set to “stage,” then it requires a login to view the site. This helps us keep multiple environments for rolling out updates.
April 10, 2013 at 9:53 am
Wow, nice. No htaccess crap, wonderful.