in Articles

Require login to view a WordPress site

On a WordPress site I have setup, I needed the ability to require user authentication before allowing anyone to view the website. To do this, just add the following snippet to the theme files:

get_currentuserinfo();
global $user_ID;
if ($user_ID == '')
{
        header('Location: wp-login.php');
}

Now you will be greeted with the WordPress login page when entering the site without being authenticated! Note that if you want to be completely sure that no one can retrieve any information without authenticating, you need to either modify the WordPress core files, or use some other type of authentication outside of the WordPress code, such as a basic auth in the webserver.

Edit: I created a WordPress plugin which does this in a much better way – WP Require Auth plugin.

Leave a Reply

27 Comments

  1. I had better luck putting your code into:

    wp-blog-header.php

    right uder where wordpress loads:

    wp();

    Putting it in the template kept giving me errors that the header was already sent.

    • It’s probably best not to modify the core files since they will be overwritten on update. Are you sure that you are putting the code at the top of the theme files? Directly after <?php

  2. “Note that if you want to be completely sure that no one can retrieve any information without authenticating you need to either modify the WordPress core files, or use some other type of authentication outside of the WordPress code, such as a basic auth in the webserver.”

    How would someone go about retrieving my information if I don’t use any outside authentication? I want to understand the vulnerabilities before I implement this.

    • You can get the posts using the RSS feed for instance and from there, retrieve the links for different post listings. I guess there could be a plugin available that does this in a better way. I might write one otherwise, when I have time.

  3. Worked great and did exactly as was needed. However, it inserted strings on to the published RSS feed page that prevent the feed from being translated in feed pullers. While we want to keep the WP site private to our small group, the group still wants to access that feed. If you are aware of any workarounds it would be greatly appreciated.

      • I don’t suppose there is any chance you could drop me a quick fix for this part? The only reason I ask is because we’ve implemented this in a large part of out site and unfortunately we are working on a time line with this being our biggest immediate ‘issue’ :) I greatly appreciate your work on this script, this RSS issue is the only thing I’ve come across that has given any problems. If possible, any direction you can offer as a “band-aid” until the next release is made available would be greatly appreciated.

        I did see a similar post with a method which modified the wprequireauth.php page to exclude certain pages from being modified. Tried several target files but still no change.

      • As a quick fix, you can add the following lines to ignore RSS when checking for access.

        && (strpos($_SERVER['PHP_SELF'], ‘wp-rss.php’) === false)
        && (strpos($_SERVER['PHP_SELF'], ‘wp-rss2.php’) === false)

        Add them between:
        && (strpos($_SERVER['PHP_SELF'], ‘wp-register.php’) === false)
        [--ADD HERE-- around line 23]
        && (strpos($_SERVER['PHP_SELF'], ‘async-upload.php’) === false))

        Don’t forget to reupload the file when you have edited it. :)

      • Hey Johnny, I sent you a message through the contact form. I know you’ve been busy, its ok! I tried inserting those strings in to the page but the feed is still not being excluded from the include list. Is there anything else I may need to change?

  4. Looking to secure part of my website, why would it not be completely protected when adding code for checking the global user ID variable?

    Best regards

    Paul

  5. I do have a few questions about this plugin. How is the login data saved and secured? Is there encryption to protect the login data? A better question would be – is it possible to access existing login information stored within a mySQL database and utilize it with this login control?

  6. I used this plugin but for some reason the registration page does not open up and redirects back to the login screen which means, I can accept registrations. Can you clarify if this is a problem and the solution as registration is mandatory though account approvals will be done from admin.

    Thanks,
    Vishal

  7. Hey

    When i activate the plugin i get the following error:

    Warning: Cannot modify header information – headers already sent by (output started at /customers/8/4/d/sommerstedgade2123.dk/httpd.www/index.php:3) in /customers/8/4/d/sommerstedgade2123.dk/httpd.www/wp-includes/pluggable.php on line 934

    Can you please help me out?

  8. hi there. . . . .
    i’m new to wordpress , i just installed wordpress 3.2.1 version and i was configured all theme parameters and website settings , but now i have a problem with loading my website.
    when i try to see my website a login page appear !! in fact my website is not configured for public to view!
    how can i fix that?
    i checked all settings in wp-admin page but i can’t find any option to fix this problem , please help me!
    thatn you :)

  9. I am having a problem with a theme that I developed a long time ago. I developed and tested the theme with WordPress 2.3.1 and it was functioning alright. Unfortunately my client was not ready when the project should have been completed and the project was put on hold. There seems to be a problem with the theme and with WordPress 3.3. When I try to view the blog a pop window opens that says “To view this page, you must log in” and it requires me to type in my username and password. I never had this problem before. I’ve been trying to figure this out and it’s driving me crazy. I would really appreciate it if someone would let me know what is causing the problem.

  10. I am having a problem with a theme that I developed a long time ago. I developed and tested the theme with WordPress 2.3.1 and it was functioning alright. Unfortunately my client was not ready when the project should have been completed and the project was put on hold. There seems to be a problem with the theme and with WordPress 3.3. When I try to view the blog a pop window opens that says “To view this page, you must log in” and it requires me to type in my username and password. I never had this problem before. I’ve been trying to figure this out and it’s driving me crazy. I would really appreciate it if someone would let me know what is causing the problem.