Require login to view a WordPress site
On a WordPress site I have setup, I needed the ability to require user authentication before allowing anyone to view the website. To do this, just add the following snippet to the theme files:
get_currentuserinfo();
global $user_ID;
if ($user_ID == '')
{
header('Location: wp-login.php');
}
Now you will be greeted with the WordPress login page when entering the site without being authenticated! Note that if you want to be completely sure that no one can retrieve any information without authenticating, you need to either modify the WordPress core files, or use some other type of authentication outside of the WordPress code, such as a basic auth in the webserver.
Edit: I created a WordPress plugin which does this in a much better way – WP Require Auth plugin.
17 Comments
Post a comment
I had better luck putting your code into:
wp-blog-header.php
right uder where wordpress loads:
wp();
Putting it in the template kept giving me errors that the header was already sent.
It’s probably best not to modify the core files since they will be overwritten on update. Are you sure that you are putting the code at the top of the theme files? Directly after <?php
Thanks!
I used this on my blog too, like ws0x9 I had better luck with it in the header file!
Great that it works!
“Note that if you want to be completely sure that no one can retrieve any information without authenticating you need to either modify the WordPress core files, or use some other type of authentication outside of the WordPress code, such as a basic auth in the webserver.”
How would someone go about retrieving my information if I don’t use any outside authentication? I want to understand the vulnerabilities before I implement this.
You can get the posts using the RSS feed for instance and from there, retrieve the links for different post listings. I guess there could be a plugin available that does this in a better way. I might write one otherwise, when I have time.
Thank you so much for this little code snippet! Works much better than any other plugin I was able to find.
You’re welcome! Have a look at WP Require Auth though, it is a WordPress plugin which makes it a bit more elegant than this hack — and you can install it directly from your WordPress installation under plugins.
Thanks, works like a charm. I was afraid it would mess up my FacebookConnect plugin, but it works.
Worked great and did exactly as was needed. However, it inserted strings on to the published RSS feed page that prevent the feed from being translated in feed pullers. While we want to keep the WP site private to our small group, the group still wants to access that feed. If you are aware of any workarounds it would be greatly appreciated.
We are using WP 3.0
Support for publishing the RSS feed while still keeping the website private is coming in the next version of wp-require-auth, coming soon.
I don’t suppose there is any chance you could drop me a quick fix for this part? The only reason I ask is because we’ve implemented this in a large part of out site and unfortunately we are working on a time line with this being our biggest immediate ‘issue’
I greatly appreciate your work on this script, this RSS issue is the only thing I’ve come across that has given any problems. If possible, any direction you can offer as a “band-aid” until the next release is made available would be greatly appreciated.
I did see a similar post with a method which modified the wprequireauth.php page to exclude certain pages from being modified. Tried several target files but still no change.
As a quick fix, you can add the following lines to ignore RSS when checking for access.
&& (strpos($_SERVER['PHP_SELF'], ‘wp-rss.php’) === false)
&& (strpos($_SERVER['PHP_SELF'], ‘wp-rss2.php’) === false)
Add them between:
&& (strpos($_SERVER['PHP_SELF'], ‘wp-register.php’) === false)
[--ADD HERE-- around line 23]
&& (strpos($_SERVER['PHP_SELF'], ‘async-upload.php’) === false))
Don’t forget to reupload the file when you have edited it.
If you drop me a line using the contact page, I can attach an updated file for you to use until the next version.
Hey Johnny, I sent you a message through the contact form. I know you’ve been busy, its ok! I tried inserting those strings in to the page but the feed is still not being excluded from the include list. Is there anything else I may need to change?