WP AI Agent
Features Pricing Blog Contact Download Plugin Manage Subscription Get Free Key →

How to Password-Protect a WordPress Page: Complete Guide

· · 7 min read

Knowing how to password-protect a WordPress page is an essential skill for any site owner who wants to restrict access to sensitive content, client deliverables, members-only resources, or draft pages not yet ready for the public. WordPress makes this surprisingly straightforward, and in this guide you will learn every method available — from the native built-in option to plugins and custom code — so you can choose the approach that best fits your workflow.

Why Password-Protecting a WordPress Page Matters

Not every piece of content on your website is meant for everyone. There are many legitimate reasons to lock a page behind a password:

  • Client portals: Share project files, reports, or invoices with specific clients without building a full membership system.
  • Staging content: Preview new pages with stakeholders before publishing them publicly.
  • Gated resources: Offer premium downloads, tutorials, or guides to paying customers or subscribers.
  • Internal documentation: Keep company policies or team notes on your site but away from public view.
  • Compliance and privacy: Restrict access to pages containing personally identifiable information or sensitive data.

WordPress offers a native visibility setting that handles most use cases. For more advanced scenarios — such as bulk protection, role-based access, or category-level locks — plugins and custom code fill the gap.

Method 1: Using the Built-In WordPress Password Protection

The easiest and fastest way to password-protect a single page requires no plugins at all. WordPress has had a built-in Password Protected visibility option since version 2.7.

Step-by-Step: Block Editor (Gutenberg)

  1. Log in to your WordPress dashboard and navigate to Pages > All Pages.
  2. Click on the page you want to protect to open it in the block editor.
  3. In the right-hand sidebar, locate the Summary panel (sometimes labelled Status & Visibility).
  4. Click the Public link next to the Visibility label.
  5. A dropdown will appear with three options: Public, Private, and Password Protected. Select Password Protected.
  6. Type your desired password into the Use a password field that appears. Choose a strong, unique password.
  7. Click OK to confirm your selection.
  8. Click the blue Update (or Publish) button to save the changes.

Visitors who navigate to the page will now see a password prompt before any content is displayed. Once they enter the correct password, WordPress sets a cookie so they are not asked again during the same browser session.

Step-by-Step: Classic Editor

  1. Open the page in the Classic Editor.
  2. In the Publish meta box on the right, click Edit next to Visibility: Public.
  3. Select the Password protected radio button.
  4. Enter your password in the field provided.
  5. Click OK, then click Update to save.

Limitations of the Built-In Method

  • Only one password per page — you cannot assign different passwords to different users.
  • The password is stored as a plain MD5 hash in the database, which is not the most secure hashing algorithm.
  • The default password prompt form is minimal and cannot be restyled without custom CSS or a plugin.
  • It does not protect page URLs from being indexed if a search engine crawls them before the password is set.

Method 2: Password-Protecting Pages With a Plugin

For more control, flexibility, and user-friendly features, dedicated plugins are the way to go. Below are two popular, well-maintained options.

Using Password Protected Pages (Passster)

Passster is a free plugin available in the WordPress repository that lets you protect individual pages, post types, or entire categories with a password or an access code list.

  1. Go to Plugins > Add New in your dashboard.
  2. Search for Passster and click Install Now, then Activate.
  3. Open the page you want to protect in the editor.
  4. Scroll down to find the Passster meta box (Classic Editor) or the Passster panel in the sidebar (Block Editor).
  5. Enable protection and enter one or more passwords or access codes.
  6. Optionally configure a custom unlock form, cookie duration, and redirect URL.
  7. Save or update the page.

Using Members by MemberPress

If you need role-based access control rather than a simple password, Members (free) by MemberPress lets you restrict pages to logged-in users with specific roles or capabilities, which is a more robust approach for membership sites.

  1. Install and activate the Members plugin from the WordPress repository.
  2. Open the target page in the editor.
  3. Find the Content Permissions meta box at the bottom of the page.
  4. Check the user roles that should be allowed to view the content (e.g., Subscriber, Editor).
  5. Enter an error message to show users who do not have access.
  6. Update the page.

Method 3: Password-Protecting Pages With WP-CLI

If you manage WordPress from the command line — on a server, via SSH, or in a local development environment — WP-CLI lets you set page passwords without touching the dashboard. This is particularly useful for automating deployments or bulk updates.

Using WP-CLI to Set a Password on a Page

First, find the ID of the page you want to protect:

wp post list --post_type=page --fields=ID,post_title

Once you have the page ID (for example, 42), run the following command to set the visibility to password-protected and assign a password:

wp post update 42 --post_password="YourStr0ngP@ssword" --post_status="publish"

To verify the change was applied correctly:

wp post get 42 --fields=ID,post_title,post_password,post_status

The post_password field will now contain the hashed version of the password you set. WP-CLI handles the hashing automatically using WordPress's own password functions.

Method 4: Protecting a Page Programmatically With PHP

Advanced developers may want to set or override page passwords directly in PHP — for example, inside a theme's functions.php file or a custom plugin. This approach is useful when building automated workflows or integrations.

Setting a Password on a Page via PHP

You can use the wp_update_post() function to assign a password to any page by its ID:

<?php
// Add this snippet to your theme's functions.php or a custom plugin
add_action( 'init', 'set_custom_page_password' );
function set_custom_page_password() {
    // Replace 42 with your actual page ID
    $page_id = 42;
    $page    = get_post( $page_id );
    // Only update if no password is currently set
    if ( $page && empty( $page->post_password ) ) {
        wp_update_post( array(
            'ID'            => $page_id,
            'post_password' => 'YourStr0ngP@ssword',
        ) );
    }
}
?>

Important: WordPress automatically hashes the password value you pass to wp_update_post() using wp_hash_password(), so never store or pass a pre-hashed value — always pass the plain text password and let WordPress handle hashing.

Removing a Password Programmatically

To remove password protection from a page programmatically, simply update the post_password field to an empty string:

wp_update_post( array(
    'ID'            => 42,
    'post_password' => '',
) );

Best Practices and Security Tips

Password-protecting a page adds a layer of access control, but it is not a replacement for proper security hygiene. Follow these best practices to make your password-protected pages as secure as possible.

Choose Strong, Unique Passwords

  • Use at least 16 characters combining uppercase, lowercase, numbers, and symbols.
  • Never reuse the same password across multiple pages or sites.
  • Use a password manager to generate and store passwords safely.

Limit Cookie Duration

By default, the cookie WordPress sets after a visitor enters a correct password lasts for 10 days. You can reduce this duration using the post_password_expires filter:

add_filter( 'post_password_expires', function( $expires ) {
    return time() + 60 * 60; // Cookie expires in 1 hour
} );

Prevent Search Engine Indexing

Password-protected pages can still appear in search results if they were indexed before you added the password. To prevent this, add a noindex directive. Most SEO plugins (Yoast SEO, Rank Math) let you set this per page. Alternatively, add the following to your theme's functions.php:

add_action( 'wp_head', function() {
    if ( post_password_required() ) {
        echo '<meta name="robots" content="noindex, nofollow" />';
    }
} );

Use HTTPS

Passwords transmitted over an unencrypted HTTP connection can be intercepted. Always ensure your WordPress site uses an SSL certificate (HTTPS) before relying on password protection for anything sensitive.

Consider Role-Based Access for Teams

If you are protecting content for a group of people (e.g., employees or members), individual passwords can become a management headache. Role-based access via a plugin like Members or a full membership solution is more scalable and auditable.

Frequently Asked Questions

Does password-protecting a WordPress page hide it from search engines?

Not automatically. The page title and URL can still be indexed by search engines even after you add a password. To prevent indexing, add a noindex meta tag to password-protected pages using an SEO plugin or the custom PHP snippet shown in the best practices section above.

Can I use different passwords for different users on the same page?

WordPress's built-in password protection only supports a single password per page. If you need per-user passwords or access codes, use a plugin like Passster, which supports multiple access codes, or a membership plugin that ties access to individual user accounts.

How do I remove the password from a WordPress page?

Open the page in the editor, click the visibility setting, select Public, and then update the page. In WP-CLI you can run wp post update PAGE_ID --post_password="". Programmatically, call wp_update_post() with 'post_password' => '' as shown in the PHP examples above.

Will password protection work on custom post types, not just pages?

Yes. WordPress's built-in password visibility option is available on any post type that has the public argument set to true and supports the editor feature. Both the WP-CLI command and the PHP wp_update_post() function work on any post type by targeting its ID.

Password-protecting a WordPress page is a quick yet powerful way to control who sees your content, whether you use the native editor setting for a single page, a plugin for bulk or advanced protection, or WP-CLI and PHP for developer-driven workflows. If you want an even faster way to manage tasks like this — without memorising menus or writing code — WP AI Agent lets you handle WordPress tasks, including setting page passwords and managing visibility settings, through simple natural-language AI chat, making site management faster and more accessible than ever.

Ready to manage WordPress with AI?

Get 100,000 tokens free every month. No credit card required.

Get Your Free License Key →

More from the blog

7 min read

How to Configure WordPress Reading Settings: Complete Guide

8 min read

How to Embed a YouTube Video in WordPress: Complete Guide

8 min read

How to Schedule Posts in WordPress: Complete Step-by-Step Guide