How to Bypass WordPress Sitewide Password Protection

Everyone has to enter the password to access any pages on your website by default. It increases security, but may also cause some inconvenience. So our plugin provides some ways to bypass this kind of protection in some necessary cases.

Requirements:

Bypass the whole WordPress site

The following methods allow your users to bypass the password protection of the whole site. That means your users can access any page on your site directly without having to enter passwords.

Whitelist specific user roles

The first and fastest way is to grant access permission based on user roles. By default, your private site is always visible to admin users. If you want other user roles to be able to access your site directly too, navigate to the “General” tab under the plugin’s settings page and select the roles from the “Whitelisted Roles” dropdown list.

Requirement: Password Suite addon on top of PPWP Pro

Instead of sending your visitors a valid password and your site URL, you can send them a single link only. These access links allow your visitors to directly access your private site without being prompted for a password. This feature also comes in handy if you want to grant access to some specific users.

You need to extend sitewide password feature in order to generate sitewide Quick Access Links (QAL).

Whitelist specific IP addresses

Another way is to whitelist your users’ IP addresses. Those coming from whitelisted IP addresses can access your protected content directly without entering passwords.

To use this feature, simply add the following code snippet to your (child) theme’s functions.php file.

add_filter(
   'ppwp_sitewide_has_bypass',
   function ( $allowed ) {
      if ( $allowed ) {
         return $allowed;
      }

      // Add specific or wildcard IPv4 addresses here
      $whitelist_ips = [ '127.0.0.1', '116.103.18.*' ];
 
      if ( ! empty( $_SERVER['HTTP_CF_CONNECTING_IP'] ) ) {
         $current_ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
      } elseif ( ! empty( $_SERVER['HTTP_CLIENT_IP'] ) ) {
         $current_ip = $_SERVER['HTTP_CLIENT_IP'];
      } elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
         $current_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
      } else {
         $current_ip = $_SERVER['REMOTE_ADDR'];
      }

      if ( in_array( $current_ip, $whitelist_ips ) ) {
         return true;
      }

      foreach ( $whitelist_ips as $whitelist_ip ) {
         $ips = explode( '.', $whitelist_ip );
         if ( count( $ips ) === 4 ) {
            $every      = '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])';
            $ips        = array_map( function ( $element ) use ( $every ) {
               if ( $element === '*' ) {
                  return $every;
               }

               return $element;
            }, $ips );
            $ip_pattern = '/\b(?:' . $ips[0] . '\.' . $ips[1] . '\.' . $ips[2] . '\.' . $ips[3] . ')\b/';

            if ( preg_match( $ip_pattern, $current_ip ) ) {
               return true;
            }
         }

      }

      return false;
   }
);

Bypass sitewide protection partially

The following methods allow your users to bypass the password protection of some pages but not the whole site. In other words, while users can access certain content directly without being asked for a valid password, the rest of your site is still kept private.

Exclude specific pages

This feature becomes useful when you need to show a notification to visitors, e.g, the date your website will be published, the reason why the rest of your website is protected, or how to get the password.

You can exclude the individual pages as well as your “Homepage”, e.g. https://passwordprotectwp.com/, from the sitewide protection.

Please note that this option allows you to exclude pages & posts by default. If you want to exclude a custom post type, you should add this post type to Post Type Protection option first.

Since PPWP Pro version 1.3.3, our plugin uses the search field instead of the dropdown list. So you can select any content, including custom post types without adding them to Post Type Protection option.

Exclude all pages under a post type

Since PPWP Pro version 1.2.1, you can exclude all pages, posts, or custom post types at once by defining our custom constant in your wp-config.php file.

The sample code below allows your visitors to access all your pages and product pages without entering passwords.

define('PPWP_PRO_SITEWIDE_POST_TYPE_EXCLUDES', array('page', 'product'));

Use quick access links of individual pages

A disadvantage of the exclusion method is that all users can access your excluded pages. If you want to grant access to some specific users, you need to use quick access links. Only users who have the links can access your site.

To do so, please follow the steps below:

Step 1: Go to the page you want to grant access and get its quick access link.

Step 2: Navigate to Password Protect WordPress >> Misc tab and enable “Bypass Sitewide Protection Partially” option.

Requirement: Password Suite addon on top of PPWP Pro

Lasted updated on August 20, 2021