Blog

    Home / Blog / Bypass a WordPress Password Protected Post or Page via a URL



    Bypass a WordPress Password Protected Post or Page via a URL

    Posted by Kieran on 15 Dec 2011 / 3 Comments
    Tags: , , , , ,


    I often use password protected posts and pages in WordPress to securely share content with friends and family. When they need want to look at the items they go to the page, enter the password and hey presto they are in. However, as clever as they all may be, getting them to enter even the simplest of password has proven to be a bit of a challenge. So I wanted an nice easy way to share a link or URL with them that would allow them to bypass the prompt for a password.

    For example if the person went to http://www.domain.com/post/?password=PASSWORD they would be straight in without being asked for the password. I managed to achieve this by by editing /wp-includes/post_template.php and locating the section below.

    function post_password_required( $post = null ) {
 $post = get_post($post);
 
 if ( empty($post->post_password) )
     return false;
 
 if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) )
     return true;
 
 if ( stripslashes( $_COOKIE['wp-postpass_' . COOKIEHASH] ) != $post->post_password )
     return true;
 
    return false;
}

    It checks “Whether post requires password and correct password has been provided“, and returns a “false if a password is not required or the correct password cookie is present.” What I did was add a $_GET['password'] to look at the URL take the password from the URL, and to compare it with the actual password.

    While you could put the password in plain text into the URL, I decided to use something like md5generator.net to convert the password into an MD5 string. The code below then compares the parsed password form the URL with the MD5 version of the password. This way, the link http://www.domain.com/post/?password=PASSWORD would become http://www.domain.com/post/?password=319f4d26e3c536b5dd871bb2c52e3178.

    if ( $_GET['password'] == md5($post->post_password) )
        return false;

    Simply add the above into /wp-includes/post_template.php like below

    function post_password_required( $post = null ) {
 $post = get_post($post);
 
 if ( empty($post->post_password) )
     return false;
 
 // Get Password from URL and compare to MD5 Hash of Post_Password
 
 if ( $_GET['pass'] == md5($post->post_password) )
     return false;    
 
 if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) )
     return true;
 
 if ( stripslashes( $_COOKIE['wp-postpass_' . COOKIEHASH] ) != $post->post_password )
     return true;
 
    return false;
}

    Now you will have the option of people visiting the post and entering the password or give them a link to bypass the password all together. Personally I use a URL shortner to make the URL a bit nice and also allows me to track visits to the URL.




    Related Posts


    3 Comments for Bypass a WordPress Password Protected Post or Page via a URL


    K.Adam White
    2 months ago


    Thanks for this post, this is an issue I’ve been struggling with too. Do you know if there is any way to break this functionality out into a plugin, so that we wouldn’t have to modify the core WordPress files?

    (Reply)

      Kieran
      2 months ago


      Hi K.Adam, I wasn’t able to find any plugins that would allow me to do this so I ended up modifying the code myself. It’s a bit of a pain alright remembering to modify the code everytime there is an update for WordPress.

      Might try and write a plugin myself or if you find one in the meantime please let me know.

      (Reply)

    K.Adam White
    1 month ago


    I tracked down how to do this using a filter on the_password_form. This can be put into a plugin, or into your theme functions:

    function bypass_password_form( $output ) {
    // Check for a hash of the password just like you do above
    if ( $_GET['pwd'] == md5( $post->post_password ) ) {
    return apply_filters( ‘the_content’, get_page( get_the_ID() )->post_content );
    }
    // Or return the output as normal
    return $output;
    }
    add_filter(‘the_password_form’,'bypass_password_form’);

    Hope that helps; it’s working for me on WordPress 3.3.1.

    (Reply)



    Leave a Reply