How to Password Protect WordPress Site

how to password protect wordpress site


WordPress is a content management system, powered by PHP, which is used by various individuals to publish their articles. By default, WordPress uses username and password, and It’s sufficient as a basic protection to keep introducers away from the administrative panel. But having said that, it doesn’t protect the contents of the wordpress blog. Since it doesn’t protect the contents (posts), pages, categories, tags anyone can access them as long as the site is known to public. Protecting the content area sounds like a waste of time, but for some individuals who seek to maintain a private blog, subscription based blog it may come handy. By default, WordPress allows to protect individual pages, posts with a password but not the whole site. So this article demonstrates how to password protect WordPress site with a custom password with this lightweight plugin. The plugin is developed by us; hence it’s well optimized just for this purpose. This is most suitable for WordPress private sites.


  • Custom Password To Secure the Contents (wordpress password protect entire site)
  • Password Verification
  • Exclude Each User Group (Editor, Author, Contributor, Subscriber) to Allow Them in without the Password
  • Custom Message to Display when the Site is Password Protected (It only appears at the login page)
  • Custom Login Page
  • High Security in Storing the Password (Salted)
  • Protection against Session Fixation Attack
  • Support Cache Plugins (Always clear the cache for better results)
  • Easy Disable, Uninstall
  • Easy Install
  • Support from Nucuta for Free
  • More Features to Come
  • Clean Codes (Anyone can edit with ease)
  • Compatibility with Two Factor Verifications Plugins

Download Link

Updated: The plugin is located at here. Nucuta Password Protect

The plugin is at the process of uploading to WordPress Repository at the moment. Once this phase is completed, the URL to the plugin will appear in this segment, then it can be installed as any other plugin through WordPress administrative area’s Plugins -> Add New page.


how to password protect wordpress site

At the moment the administrative page of the plugin looks like in this screenshot (it may subject to change in future versions). It has 8 elements. First element is for switching the password on and off. It can only be enabled if a valid password is provided in both “Password”, “Confirm” text boxes.

The second and third elements are for typing the passwords. The passwords are salted, validated for errors, and then submitted to the database to store, then when a user typed the password to login to the site, it’s hashed and checked against the already hashed password stored in the database for verification. If both are matched, the user is granted the access, otherwise user can’t access to the site. Since this plugin uses salted passwords the hash is different in each time when it’s generated, so there is no risk of the password getting exposed. Currently the Salt is the strongest way to hash to store passwords in a database, and it’s also used by WordPress to keep its admin area secure as well.

The fourth, fifth, sixth, seventh elements represent default user groups in WordPress platform. At the moment, the default user groups are “Administrator”, “Editor”, “Author”, “Contributor”, “Subscriber”.  That being said, it doesn’t include administrator group in the password protection for obvious reasons. This plugin allows administrators to change its options; hence there is no point of barricading administrators from entering backend (/wp-admin/). As stated earlier, this is meant for protecting the contents not the admin area (/wp-admin/), so administrators still have to login to access to the site when the password protection option is switched on. In features list it states that it allows “Compatibility with Two Factor Verifications Plugins”, what this means it doesn’t protect the default login page of WordPress, so anyone can access to the wp-login.php page to login to the backend of WordPress. However, they still have to type the backend password given when registering the account to pass through the wp-login.php page. The advantage of this feature is making the plugin compatible with other security plugins. Users are free to choose any plugin to secure the wp-login.php page, while keeping this “Password Protect WordPress Site” plugin for securing the contents. So, if the groups implemented in this plugin are unchecked the users in the relevant groups are subjected to the password when accessing the contents even when logged in with their user account, but if their user group is checked to exclude from the password protection the particular user now can access to the contents without typing the password given in this plugin as long as the user is logged into wp-login.php.

how to password protect wordpress site login page

The final element is for displaying message for non-logged in users. Basically, if a message is given by the site administrators, when a user access to the contents (through any link or any source) the given message displays at the login page as seen in the above screenshot. This page appears on every single page if the user isn’t allowed to view the site. There is no exceptions, If the user accessed to category, page, posts, tags no matter where it’s it still appears until the user is granted the access. The only exception here is users can still access to the images, but it’s because images are served by the web server not by WordPress, but it be be avoided by turning on the hot link protection, then users are only allowed to access to the images through the website. The following code snippet can be used to enable Hotlink protection in Nginx web servers. Simply append it to the existing code in default server block. If image server block already exists, replace it. Make sure to replace MY_DOMAIN text with the appropriate domain name as well. If the domain isn’t SSL protected, use http:// instead of https://.

location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {

  access_log /var/log/nginx/access.log;
  expires max;
  log_not_found off;

  if ($http_referer !~ "^*$"){
    set $rule_0 1$rule_0;
  if ($http_referer !~ "^$"){
    set $rule_0 2$rule_0;
  if ($http_referer !~ "^*$"){
    set $rule_0 3$rule_0;
  if ($http_referer !~ "^$"){
    set $rule_0 4$rule_0;
  if ($rule_0 = "4321"){
    return 403;

When applying the changes a valid password, and its confirmation have to be there in order to turn on the password protection, however the rest of the options are optional. To disable the password protection, the only thing has to be done is to ‘Uncheck’ the “Enable Password Protection to Whole Site”, and click on “Apply Changes” button. The plugin can be disabled and uninstalled through the “Plugins”, and “Installed Menu” section, but only administrators are allowed to either disable or uninstall the plugin.


Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


  1. Avatar

    Unfortunately, the plugin keeps asking the password after every click on the site.

nucuta header blue