Published on December 15th, 2011 | by Kieran
5Bypass a WordPress Password Protected Post or Page via a URL
I often use password protected posts and pages in WordPress to securely share content with friends and family. When they need want to look at the items they go to the page, enter the password and hey presto they are in. However, as clever as they all may be, getting them to enter even the simplest of password has proven to be a bit of a challenge. So I wanted an nice easy way to share a link or URL with them that would allow them to bypass the prompt for a password.
For example if the person went to http://www.domain.com/post/?password=PASSWORD they would be straight in without being asked for the password. I managed to achieve this by by editing /wp-includes/post_template.php and locating the section below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
function post_password_required( $post = null ) { $post = get_post($post); if ( empty($post->post_password) ) return false; if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) ) return true; if ( stripslashes( $_COOKIE['wp-postpass_' . COOKIEHASH] ) != $post->post_password ) return true; return false; } |
It checks “Whether post requires password and correct password has been provided“, and returns a “false if a password is not required or the correct password cookie is present.” What I did was add a $_GET[‘password’] to look at the URL take the password from the URL, and to compare it with the actual password.
While you could put the password in plain text into the URL, I decided to use something like md5generator.net to convert the password into an MD5 string. The code below then compares the parsed password form the URL with the MD5 version of the password. This way, the link http://www.domain.com/post/?password=PASSWORD would become http://www.domain.com/post/?password=319f4d26e3c536b5dd871bb2c52e3178.
1 2 |
if ( $_GET['password'] == md5($post->post_password) ) return false; |
Simply add the above into /wp-includes/post_template.php like below
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
function post_password_required( $post = null ) { $post = get_post($post); if ( empty($post->post_password) ) return false; <span style="color: #800000;">// Get Password from URL and compare to MD5 Hash of Post_Password if ( $_GET['pass'] == md5($post->post_password) ) return false; </span> if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) ) return true; if ( stripslashes( $_COOKIE['wp-postpass_' . COOKIEHASH] ) != $post->post_password ) return true; return false; } |
Now you will have the option of people visiting the post and entering the password or give them a link to bypass the password all together. Personally I use a URL shortner to make the URL a bit nice and also allows me to track visits to the URL.
5 Responses to Bypass a WordPress Password Protected Post or Page via a URL