I’m currently working with a client whom I’m creating an intranet site for. The site needs to be completely secure from anyone who isn’t logged in.
The standard WordPress privacy options do not allow for a blanket protection over your site, but with a minor modification, you can force a user to log in before they will see anything.
Create the function
We’re going to use a simple snippet that will check whether a user is logged in every time a page tries to load. It will check it before it loads the page, so there is no chance that the content will appear.
This function can be put into your theme’s functions.php file, or more preferrably, your functionality plugin:
Now, whenever someone tries to load a page, they’ll be redirected to the login screen. If they log in successfully, they’ll automatically be redirected to the page they were trying to reach, thanks to the auth_redirect function.
Bear in mind that just because it can’t be seen on the screen at your site, doesn’t mean it can’t be seen altogether. You need to consider your RSS feed, sitemap, robots.txt file, pingbacks and trackbacks and any other ways in which you might be distributing your content. You can kill the RSS feed altogether using wp_die. Also make sure that users can’t register for your site, by unchecking the option in Settings > General.