WordPress Password protected posts – feature or security leak?

WordPress Post Password

TL;TR Password protected pages aren’t really “protected”. Let me explain what you have to look out for when using them.

The internals

First we take a quick look at how this feature currently is implemented in core. The post_password is part of a sites posts table. It stores the password as plain text. This is because they are meant to be shared.

Hint: Don’t ever use any page password that you already use for a real login/authentication.

Not every password is a real password.

When you enter a password into a form built by get_the_password_form(), the form targets ~/wp-login.php with a query argument named postpass which is the $action the login file uses to switch. There the PasswordHash class gets into use and a cookie gets set:

setcookie(
    'wp-postpass_' . COOKIEHASH,
    $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ),
    $expire,
    COOKIEPATH
);

After that a safe redirect gets performed. A brief explanation of what happens: You enter a password and WP saves the password in a hashed version as Cookie. Later on it compares the has against the plain text password using post_password_required(), again using the PasswordHash class.

Things to watch out for

There’re quite some glitches. Here’s a (probably incomplete) list of them.

  1. If passwords are shared between pages, the saved Cookie will give a user access to all pages sharing the same password.
  2. A search query does not return password protected posts. The reason was pointed out by Andrey “Rarst” Savchenko and Chip Bennet in a discussion: You don’t want to expose any details about a pages content. Finding them in the search results page allows guessing what’s inside. But there’s more to it: If a user is logged in, it will appear in the SERPs. And it doesn’t distinguish by role. When you got a role with no capabilities at all or your protected pages are targeting only specific roles, you should alter your search query accordingly.
  3. Attachments that have a password protected parent are not protected.
  4. The same goes for comments.
  5. One of the next versions of WordPress will feature query arguments that allow you to query by has_password or by explicitly by post_password.
  6. There might be another feature coming where you can allow crawlers to access the content. We hope this doesn’t happen. Even, as Andrey pointed out, some magazines with paid content still might want crawlers to index their content without exposing the content to non paying readers. You know how to work around that, don’t you?

Those are just some notes I want to leave you with, so use this feature with caution and get your theme or plugin to consider those facts.

One thought on “WordPress Password protected posts – feature or security leak?

  1. Password protection is a thing from the very early days of blogging. It wasn’t reinvented since then. It’s a very basic technic to protect content on the viewers side. Kepp this in mind.
    So the only really good workaround is, not to use the password protection. Use a plugin instead.

Comments are closed.