Password Protection
Password Protection (PRO) puts your whole site behind one shared password - ideal for staging, client previews, or a soft launch before you go public.
What it does
Section titled “What it does”- Shows a customizable password gate on front-end pages until the correct site password is entered.
- Stores the secret as a hash; session cookie unlock lasts for the browser session.
- Logged-in administrators bypass the gate; wp-admin and wp-login.php remain available so you can sign in.
- Blocks anonymous REST API and XML-RPC until unlocked; anonymous admin-ajax is blocked while logged-in users can use AJAX.
- Conflicts with the Coming Soon / Maintenance module - do not run both.
- Does not protect direct media file URLs under
/wp-content/uploads/. - Admin bar notice when protection is active; optional clear-lockouts for failed gate attempts.
When to use it
Section titled “When to use it”Enable it if:
- The site is staging, private preview, or not ready for public traffic.
- Clients need a single shared password without creating WordPress users.
- You can exclude the gate cookie from page cache/CDN variation.
When not to use it
Section titled “When not to use it”Settings
Section titled “Settings”- Site Password (hashed; leave mask unchanged to keep current secret)
- Form Title, Form Message, Button Text
- Logo / Logo Width
- Background Image, Overlay Color, Overlay Opacity
- Background Color, Form Container Color, Button Color, Button Hover Color
- Clear lockouts action for failed public attempts
How to enable it
Section titled “How to enable it”- Go to WP PowerSuite -> Modules -> Security.
- Toggle Password Protection on (PRO license required).
- Set a site password and customize the gate form, then save.
- Visit the front end in a private window to confirm the gate.
How to test it
Section titled “How to test it”- Set a password, save, open the site logged out.
- ✅ Pass: gate form appears; wrong password fails; correct password unlocks for the session.
- Open wp-login.php and log in as an administrator.
- ✅ Pass: admin can reach the dashboard and bypass the front-end gate while logged in.
- ❌ Fail: check license, password saved (hash present), and cache not serving unlocked HTML to everyone.
Troubleshooting
Section titled “Troubleshooting”- Everyone sees unlocked content. Vary/exclude cache by the
wpps_pwd_accesscookie. - Uploads still public. Expected for direct file URLs - protect at the server/CDN if needed.
- Conflict with Coming Soon. Disable one of the two modules.
- Too many failed attempts. Use Clear lockouts in settings.
What does Password Protection do?
It places a shared-password gate on the public site while keeping wp-admin and wp-login available for administrators.
Is Password Protection free?
No. It is a PRO module and requires an active license.
Do administrators need the site password?
Logged-in administrators bypass the front-end gate. They can always use wp-login.php.
Are media files protected?
No. Direct /wp-content/uploads/ URLs are not blocked by this PHP gate.
How do I turn Password Protection off?
Go to WP PowerSuite -> Modules, find Password Protection, and toggle it off.
Developer notes (hooks & filters)
Source: modules/password-protection/module.php.
Boot: critical · context: both.
Conflicts: coming-soon-maintenance.
Hooks: template_redirect, init (form submit / XML-RPC check), admin_init (anonymous AJAX), rest_authentication_errors, admin bar actions.