Skip to content

Password Protection

Password Protection (PRO) puts your whole site behind one shared password - ideal for staging, client previews, or a soft launch before you go public.

  • Shows a customizable password gate on front-end pages until the correct site password is entered.
  • Stores the secret as a hash; session cookie unlock lasts for the browser session.
  • Logged-in administrators bypass the gate; wp-admin and wp-login.php remain available so you can sign in.
  • Blocks anonymous REST API and XML-RPC until unlocked; anonymous admin-ajax is blocked while logged-in users can use AJAX.
  • Conflicts with the Coming Soon / Maintenance module - do not run both.
  • Does not protect direct media file URLs under /wp-content/uploads/.
  • Admin bar notice when protection is active; optional clear-lockouts for failed gate attempts.

Enable it if:

  • The site is staging, private preview, or not ready for public traffic.
  • Clients need a single shared password without creating WordPress users.
  • You can exclude the gate cookie from page cache/CDN variation.
  • Site Password (hashed; leave mask unchanged to keep current secret)
  • Form Title, Form Message, Button Text
  • Logo / Logo Width
  • Background Image, Overlay Color, Overlay Opacity
  • Background Color, Form Container Color, Button Color, Button Hover Color
  • Clear lockouts action for failed public attempts
  1. Go to WP PowerSuite -> Modules -> Security.
  2. Toggle Password Protection on (PRO license required).
  3. Set a site password and customize the gate form, then save.
  4. Visit the front end in a private window to confirm the gate.
  • Set a password, save, open the site logged out.
  • ✅ Pass: gate form appears; wrong password fails; correct password unlocks for the session.
  • Open wp-login.php and log in as an administrator.
  • ✅ Pass: admin can reach the dashboard and bypass the front-end gate while logged in.
  • ❌ Fail: check license, password saved (hash present), and cache not serving unlocked HTML to everyone.
  • Everyone sees unlocked content. Vary/exclude cache by the wpps_pwd_access cookie.
  • Uploads still public. Expected for direct file URLs - protect at the server/CDN if needed.
  • Conflict with Coming Soon. Disable one of the two modules.
  • Too many failed attempts. Use Clear lockouts in settings.
What does Password Protection do?

It places a shared-password gate on the public site while keeping wp-admin and wp-login available for administrators.

Is Password Protection free?

No. It is a PRO module and requires an active license.

Do administrators need the site password?

Logged-in administrators bypass the front-end gate. They can always use wp-login.php.

Are media files protected?

No. Direct /wp-content/uploads/ URLs are not blocked by this PHP gate.

How do I turn Password Protection off?

Go to WP PowerSuite -> Modules, find Password Protection, and toggle it off.

Developer notes (hooks & filters)

Source: modules/password-protection/module.php. Boot: critical · context: both. Conflicts: coming-soon-maintenance.

Hooks: template_redirect, init (form submit / XML-RPC check), admin_init (anonymous AJAX), rest_authentication_errors, admin bar actions.