Tech password-bypass

Published on December 15th, 2011 | by Kieran

5

Bypass a WordPress Password Protected Post or Page via a URL

I often use password protected posts and pages in WordPress to securely share content with friends and family. When they need want to look at the items they go to the page, enter the password and hey presto they are in. However, as clever as they all may be, getting them to enter even the simplest of password has proven to be a bit of a challenge. So I wanted an nice easy way to share a link or URL with them that would allow them to bypass the prompt for a password.

For example if the person went to http://www.domain.com/post/?password=PASSWORD they would be straight in without being asked for the password. I managed to achieve this by by editing /wp-includes/post_template.php and locating the section below.

function post_password_required( $post = null ) {
 $post = get_post($post);

 if ( empty($post->post_password) )
     return false;

 if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) )
     return true;

 if ( stripslashes( $_COOKIE['wp-postpass_' . COOKIEHASH] ) != $post->post_password )
     return true;

    return false;
}

It checks “Whether post requires password and correct password has been provided“, and returns a “false if a password is not required or the correct password cookie is present.” What I did was add a $_GET['password'] to look at the URL take the password from the URL, and to compare it with the actual password.

While you could put the password in plain text into the URL, I decided to use something like md5generator.net to convert the password into an MD5 string. The code below then compares the parsed password form the URL with the MD5 version of the password. This way, the link http://www.domain.com/post/?password=PASSWORD would become http://www.domain.com/post/?password=319f4d26e3c536b5dd871bb2c52e3178.

if ( $_GET['password'] == md5($post->post_password) )
        return false;

Simply add the above into /wp-includes/post_template.php like below

function post_password_required( $post = null ) {
 $post = get_post($post);

 if ( empty($post->post_password) )
     return false;

 // Get Password from URL and compare to MD5 Hash of Post_Password

 if ( $_GET['pass'] == md5($post->post_password) )
     return false;    

 if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) )
     return true;

 if ( stripslashes( $_COOKIE['wp-postpass_' . COOKIEHASH] ) != $post->post_password )
     return true;

    return false;
}

Now you will have the option of people visiting the post and entering the password or give them a link to bypass the password all together. Personally I use a URL shortner to make the URL a bit nice and also allows me to track visits to the URL.

Tags: , , , , ,


About the Author

has worked with computers and technology for nearly 20 years. Based in the United Kingdom, he works throughout EMEA as a Solution Consultant, specialising in Fax & Document Distribution technologies. Predominantly blogging on KieranLane.com he can also be found on Twitter @KieranLane, and Flickr.



5 Responses to Bypass a WordPress Password Protected Post or Page via a URL

  1. K.Adam White says:

    Thanks for this post, this is an issue I’ve been struggling with too. Do you know if there is any way to break this functionality out into a plugin, so that we wouldn’t have to modify the core WordPress files?

    • Kieran says:

      Hi K.Adam, I wasn’t able to find any plugins that would allow me to do this so I ended up modifying the code myself. It’s a bit of a pain alright remembering to modify the code everytime there is an update for WordPress.

      Might try and write a plugin myself or if you find one in the meantime please let me know.

  2. K.Adam White says:

    I tracked down how to do this using a filter on the_password_form. This can be put into a plugin, or into your theme functions:

    function bypass_password_form( $output ) {
    // Check for a hash of the password just like you do above
    if ( $_GET['pwd'] == md5( $post->post_password ) ) {
    return apply_filters( ‘the_content’, get_page( get_the_ID() )->post_content );
    }
    // Or return the output as normal
    return $output;
    }
    add_filter(‘the_password_form’,’bypass_password_form’);

    Hope that helps; it’s working for me on WordPress 3.3.1.

  3. Lindy says:

    Thank you for this article.

    One issue I found is that it does not set the password in a cookie. Is there any way to do this?

  4. Jurij says:

    Hi, thank you for your content!
    I found this plugin which might help: http://wordpress.org/extend/plugins/post-password-plugin/
    I have not tested it, so I do not know if it work for password protected pages as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Back to Top ↑