Password protecting your WordPress website is a good choice if you’d like to gate specific pieces of content, prevent WordPress security issues, or protect published pages from view while you make changes. In this post, we'll show you how to do it.
If you’re building a WordPress site, chances are you’re continually creating and evaluating new content to see which pages offer the biggest boost to user traffic and search engine optimization.
As a result, it’s critical to protect these posts — to ensure that unauthorized users can’t view, edit, or delete data before you’re ready to publish pages or have the chance to make critical changes.
But how do you password protect WordPress? Thankfully, WordPress makes it easy with a quick and painless built-in tool. While site owners could invest substantive time and effort into in-depth security precautions, this popular content management system (CMS) offers built-in password functionality to help defend sites against unwanted access and editing. Let’s take a look.
There are many steps to secure a WordPress website or blog, but one easy tactic is to password protect a single page, post, or product listing (including WooCommerce listings) using WordPress’ built-in password protection tool.
Follow these six steps to quickly password protect a single page or post:
Make sure to log in as an administrator or you won’t be able to make any changes to post visibility or security.
From your dashboard, click through to "Posts" and then "All Posts" to select the page or post you want.
Alternatively, click on the post title. Password protection is implemented on a per-post basis, so you’ll need to add security to individual pages as required.
By default, WordPress pages are set to Public — meaning anyone can view them. Private pages can only be accessed by designated Admins and Editors, and Password Protected offers the highest level of security.
Click the blue “Public” text to access visibility options. In the pop-up, click “Password Protected.”
Choose your password. As noted by the official WordPress site, the maximum length is 20 characters.
To apply any changes made, you must click the “Publish” button for unpublished pages or posts, or the “Update” button for already-posted content.
The caveat? WordPress doesn’t natively offer this feature, meaning you’ve got two options: Plugins and HTTP authentication. Let’s explore each in more detail.
There are a host of free and for-pay WordPress plugins that make it possible to password protect your entire site. While the details differ from plugin to plugin, the basics are the same — you select a password for your site and specify any exceptions, such as visitors from specific IP addresses, then apply the changes. When users visit your site, they’ll see a WordPress login screen that requires a valid password for access.
We’ll go through the process using PPWP – WordPress Password Protect Page Plugin, which allows you to protect your entire WordPress site, as well individual pages, posts, and categories. In the Pro version, you can even protect entire custom post types, such as product listings.
Here’s the step-by-step process:
To install the plugin, log into your WordPress dashboard, click “Plugins” on the sidebar, and click “Add New.” Search for the PPWP plugin, then install it and click “Activate.”
The plugin will have a dedicated section on your sidebar titled “Password Protect WordPress.” Click on it to expand the subsections, then click on “Sitewide Protection” to see your options.
You’ll then be prompted to set a password. The change will be immediate, so make sure you’re ready to make your website fully private! And do save your password somewhere for you to remember.
When external visitors try to visit your site, this is what they’ll see:
Remember that password protecting your site may lead to search engine indexing issues, meaning that Google, Yahoo, and Bing may not list your website in search results. If you’d like to keep your pages public but not be indexed by search engines, you can use noindex, nofollow meta tags without needing to make your site private.
This type of password protection happens at the web hosting level; many web hosting providers now offer one-click HTTP authentication for your website, regardless of what CMS you’re running. Just like plugin-based password protection, you select a password for your site, along with any exceptions. Unlike plugin solutions, visitors won’t even see a WordPress logo when they arrive — they’ll simply see a text box asking them to log in.
Here are the tutorials we recommend:
Despite ongoing efforts to replace password protection with more robust and reliable security solutions — such as two-factor authentication or location-based access approval — recent research notes that “password authentication is still ubiquitous.”
So why this continued passion for passwords despite their potential problems? It’s simple: Familiarity and ease of use. The mechanism for password protection is widely understood and easy to implement — and in many cases, more complex defense efforts can cause more problems than they solve.
Passwords remain the most common form of digital security because they offer a low bar to entry. If you know the password, you’re granted access — if you don’t, you’re turned away.
They can also be easily combined with other security solutions to improve overall defense. For example, current-generation smartphones often leverage both biometric technologies — such as fingerprint or facial recognition sensors — and password-based backups.
While passwords often get a bad reputation for being regularly compromised, much of this issue stems from poor password selection. If users select their preferred passwords carefully, don’t use them across multiple sites, and adopt a policy of regular password change, it’s possible to significantly reduce digital risk.
Passwords aren’t perfect, and for attackers looking to expend minimal malicious effort, they’re a potentially attractive prospect. In truth, however, the biggest risk comes not from external but internal factors — users who unintentionally stumble into three common pitfalls:
No one wants to forget their password. As a result, it’s tempting to pick something simple and easy to remember — but this can rapidly get out of hand. Consider that the three most common passwords are “password”, “123456”, and “123456789”. While these are easy for users to remember, they’re also simple for attackers to guess.
The average user has between 70 and 80 passwords — so it’s no surprise that password reuse and duplication is common. The problem? If attackers compromise one account or website using a duplicated password, they’ve potentially compromised dozens or more.
The sheer number of passwords required to navigate digital-first landscapes means that users are often reluctant to change login credentials. Many also use physical media — such as sticky notes — to remind themselves of specific site or account passwords. In both cases, the existence of passwords that aren’t regularly updated creates a potential security issue.
Despite potential pitfalls, passwords offer substantive protective benefits — so long as users avoid common letter and number combinations, don’t duplicate these defenses, and regularly update login credentials.
For WordPress website owners and administrators, meanwhile, the judicious use of passwords offers peace of mind by limiting access to reduce potential security risk.
This article was originally published in November 2020 and has been updated for comprehensiveness.