Overview

PureDevs WP Locker provides comprehensive site-wide password protection, ensuring that only authorized visitors can access your website. This feature is essential for development sites, staging environments, or when performing major updates to your live site.

The password protection system is designed to be simple yet secure, requiring minimal configuration while providing robust access control.

How It Works

When password protection is enabled, every visitor to your site will be prompted to enter the password before they can view any content. Here’s how the system works:

1. Initial Visit

When a visitor first accesses your site, they are immediately redirected to a password entry page. This page displays:

  • A customizable heading (e.g., “Protected Site”)
  • An explanatory message prompting for password entry
  • A password input field
  • A submit button with customizable label

2. Password Verification

When the visitor submits their password:

  • The password is securely compared with your configured site password
  • If correct, the visitor’s IP address is stored in both a cookie and the database
  • The visitor is redirected to the page they originally requested
  • If incorrect, an error message is displayed, and they remain on the password page

3. Subsequent Visits

For returning visitors who have already entered the correct password:

  • The plugin checks for the authorization cookie
  • If found and valid, access is granted immediately
  • No password re-entry is required unless the cookie expires or is cleared
  • IP address is also verified against the database for additional security
Security Note

The plugin uses a dual-layer approach: cookies for convenience and database storage for persistence. This ensures authorized users maintain access even across browser sessions.

Protection Scope

PureDevs WP Locker protects your entire website, including:

  • All Pages: Every page on your site requires password entry
  • All Posts: Blog posts and custom post types are protected
  • Media Files: Direct access to media files is restricted
  • Archives: Category, tag, and date archives are protected
  • Search Results: Search functionality is locked behind password
  • RSS Feeds: RSS and Atom feeds require authentication
Important

The WordPress admin area (/wp-admin/) is NOT protected by this plugin. Administrators can still access the dashboard using their WordPress login credentials to manage the site and configure the locker settings.

IP Address Tracking

The plugin uses IP address tracking to recognize authorized visitors and maintain their access across sessions.

How IP Tracking Works

  • When a visitor enters the correct password, their IP address is recorded
  • The IP is stored in both a browser cookie (short-term) and the WordPress database (long-term)
  • On subsequent visits, the plugin checks if the visitor’s IP matches an authorized entry
  • If matched, access is granted without requiring password re-entry

Benefits of IP Tracking

  • Convenience: Users don’t need to enter password on every visit
  • Persistence: Authorization survives browser restarts and cookie clearing
  • Security: Limits access to known IP addresses
  • Bot Protection: Automated bots cannot bypass the protection
Pro Tip

If you or your team members have dynamic IP addresses that change frequently, users may need to re-enter the password when their IP changes. Consider this when choosing between staging environments and production usage.

Bot and Crawler Protection

One of the key benefits of PureDevs WP Locker is its ability to prevent search engine bots and automated crawlers from accessing your site content.

Protected Against:

  • Search Engines: Google, Bing, Yahoo, and other search bots cannot index your site
  • Web Crawlers: Automated scraping tools are blocked
  • Content Aggregators: RSS readers and content scrapers are prevented
  • Spam Bots: Comment and form spam bots cannot access your site
Use Case

This is particularly useful for development and staging sites where you don’t want search engines to index incomplete or test content. It also prevents your staging site from competing with your production site in search results.

Common Use Cases

1. Development Environments

Protect your development site while building new features or testing changes. Share the password with your development team and stakeholders for review.

2. Staging Sites

Keep your staging environment secure from public access while allowing clients and team members to preview changes before going live.

3. Maintenance Mode

Lock down your site during major updates or maintenance. Display a custom message explaining the situation and provide the password to trusted users who need access.

4. Pre-Launch Sites

Protect your site during the pre-launch phase while you finalize content, test functionality, and prepare for public release.

5. Private Websites

Create a private website accessible only to people who know the password. Perfect for internal company resources, private communities, or family websites.

6. Client Preview

Share work-in-progress with clients without making it publicly accessible. The simple password system is easier than managing individual user accounts.

Limitations and Considerations

While PureDevs WP Locker is powerful, it’s important to understand its limitations:

  • Single Password: The plugin uses one password for the entire site, not individual user accounts
  • No Granular Control: You cannot protect specific pages or sections; it’s all-or-nothing
  • Cookie Dependent: Users with cookies disabled will need to enter password on every visit
  • IP Changes: Users with dynamic IPs may need to re-authenticate when their IP changes
  • Admin Access: The WordPress admin area is not protected by this plugin
Alternative Solutions

If you need per-page protection, user-based access control, or membership site functionality, consider dedicated membership plugins like Restrict Content Pro or MemberPress instead.

Best Practices

Password Selection

  • Choose a strong, unique password that’s easy to share verbally or via text
  • Avoid common words or easily guessable passwords
  • Use a password manager to generate and store secure passwords
  • Consider changing the password periodically for added security

Communication

  • Clearly communicate the password to authorized users via secure channels
  • Use the custom heading to explain why the site is locked
  • Include contact information on the password page for support requests

Testing

  • Test the password protection in an incognito/private browser window
  • Verify that all site sections are properly protected
  • Test with different browsers and devices
  • Confirm that authorized users can access the site successfully