Follow-Up: WordPress Password-Protection & Admin Whitelist

VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)


A few months ago, I posted an article explaining how to lock your administration area down so that only specific IP addresses or IP ranges can login to your WordPress system. Recently, I came across one minor unexpected side effect of this security method: Password-protected posts and pages no longer work as expected. Since the WordPress password-protection submits the password to wp-login.php, which is the file to which we’re restricting access, any users not on your whitelist are unable to view the password-protected content.

With that said, I think we should take a moment to delve into how the password-protected content works within WordPress, and let you figure out whether it’s even worth using that feature.

  1. When you use password-protected content, only one password can be applied to that content. That same password has to be shared with everyone that should have access to the content. If, at any time, you decide that access to that content needs to be revoked from someone, you need to reset the password and send the new password again to everyone that should still have access.
  2. There is no simple way to log out of the password-protected content. Once you enter the password and hit the Submit button, that content is revealed to you (or anyone else that uses your browser).
  3. The cookies that are generated for the password-protected content are valid for 10 days (by default, that can be changed through code filters). In conjunction with number 2 above, that means that, after you enter the password, anyone that uses that browser for the next 10 days can see that “protected” content.
  4. If your cache isn’t configured just right, you may end up caching one or the other version of the page, so entering the password won’t make a difference anyway. Either the page will be cached with the content hidden, and entering the password will have no effect, or the page will be cached with the content revealed, and it’s no longer protected from anyone.

Ultimately, if you are restricting access to your administrative dashboard through IP whitelisting, it’s up to you whether you want to bother re-implementing the password-protected content or not. Personally, I find that the password-protected content offers fewer benefits than drawbacks, so I’m working on educating my content managers and clients not to use it.

VN:F [1.9.22_1171]
please wait...
Rating: 0.0/5 (0 votes cast)
Exit mobile version