TL;TR Password protected pages aren’t really “protected”. Let me explain what you have to look out for when using them.
First we take a quick look at how this feature currently is implemented in core. The
post_password is part of a sites posts table. It stores the password as plain text. This is because they are meant to be shared.
Hint: Don’t ever use any page password that you already use for a real login/authentication.
Not every password is a real password.
When you enter a password into a form built by
get_the_password_form(), the form targets
~/wp-login.php with a query argument named
postpass which is the
$action the login file uses to switch. There the
PasswordHash class gets into use and a cookie gets set:
setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH );
After that a safe redirect gets performed. A brief explanation of what happens: You enter a password and WP saves the password in a hashed version as Cookie. Later on it compares the has against the plain text password using
post_password_required(), again using the
Things to watch out for
There’re quite some glitches. Here’s a (probably incomplete) list of them.
- If passwords are shared between pages, the saved Cookie will give a user access to all pages sharing the same password.
- A search query does not return password protected posts. The reason was pointed out by Andrey “Rarst” Savchenko and Chip Bennet in a discussion: You don’t want to expose any details about a pages content. Finding them in the search results page allows guessing what’s inside. But there’s more to it: If a user is logged in, it will appear in the SERPs. And it doesn’t distinguish by role. When you got a role with no capabilities at all or your protected pages are targeting only specific roles, you should alter your search query accordingly.
- Attachments that have a password protected parent are not protected.
- The same goes for comments.
- One of the next versions of WordPress will feature query arguments that allow you to query by
has_passwordor by explicitly by
- There might be another feature coming where you can allow crawlers to access the content. We hope this doesn’t happen. Even, as Andrey pointed out, some magazines with paid content still might want crawlers to index their content without exposing the content to non paying readers. You know how to work around that, don’t you?
Those are just some notes I want to leave you with, so use this feature with caution and get your theme or plugin to consider those facts.