Password Protect WordPress Logic

How Password Protect WordPress works?

  • A page/post is considered “password protected” when you
    • Change Visibility (Edit Page) to Password protected – the default WordPress feature
    • Password protect by roles: set a password for a role when editing a page or post
    • Click on “Password protect this page” button
    • Its parent page or category is protected

  • We automatically generate a random password when protecting a page if there is no password created for that page yet
    • Deleting or deactivating all password of a particular page doesn’t “unprotect” that page. You have to unprotect the page manually.
    • Unprotecting a page doesn’t remove all its passwords. They will reappear when protecting that page again.


  • Passwords must be unique within a protected post
    • There is no duplicate password across different password types, e.g. Global and Role.
    • Please note that while you can use spaces when using WordPress default password protected feature (on Classic Editor) – which is a bug, you cannot do so with our plugin.

  • You can create the same passwords across different posts. You can quickly do so under our plugin’s settings. The password is called as Global (shared).
  • When a password is entered correctly, the users won’t have to enter it again.
  • You have to re-enter the password when:
    • The password is changed, deleted or deactivated
    • The password’s cookies expire whose expiration time can be set under our settings
  • The password used to protect the entire site is encrypted

Block search indexing

This feature helps prevent Google and other search engines from indexing your password protected content. In other words, once a page or post is password protected, our plugin will add noindex meta tag to its HTML code so that your protected content won’t be crawled and listed on search results anymore. This option is enabled by default.

In case you password protect your entire site, all your content won’t be indexed whether they’re protected or not. Unprotected pages excluded from the entire site protection will still be indexed though.

Protected Parent Pages & Categories

  • All posts under a protected category will be automatically password protected, exclusive of posts belonging to its sub-categories.
    • Protecting parent categories doesn’t mean all posts under its sub-categories will be protected. This is due to WordPress setup where a post can belong to a sub-category but not its parent category.
  • When password protecting a page, all its child pages are auto-protected by default:
    • Using the same password with the parent page
    • The password usage of child pages are added to total usage of parent pages
  • Once entering the right password for a protected page, users will be able to access other protected child and parent page too without having to enter the password again.
  • When you turn OFF the child page auto-protection option:
    • If a child page was protected before, it will be protected now with previously created passwords. In other words, it will keep the protection status before you turn ON this settings option.

Prevent Direct Access Gold Integration

  • When entering the right password, you will be able to view the protected page’s content:
    • If the user is logged in and has the right file access permission, our plugin will display the file using their protected link as usual.
    • Otherwise, our plugin will create a private link for reach protected file, which will expire after the page is loaded. In other words, a new private link will be created on every page load for each file. This stops users from sharing your protected files.
    • Limitation: Our plugin will not be able to display protected videos/audios embedded in the content.
  • So if you whitelist a role that doesn’t have access permission to your protected files, they will be able to see the content but not those files.
Lasted updated on May 10, 2019