securing page with/without private

  • Hello,

    There are 2 ways (or more?) for default WP functionality to prevent accessing a page.
    1) use a hook to check, make sure a user is logged in, via $current_user->ID
    2) add a Visibility Private password on a page

    Overall, I’m assuming option 1 is solid, no way around that? WordPress is secure and very good at keeping hackers or nonmembers from viewing a page.

    Your thoughts?
    Is there a 3rd way? Is there a better way to handle blocking access?

    Obviously, there are many plugins that promote this functionality, but I would rather user default WP functionality, instead of installing some random, old, unsafe plugin.

    thanks

    • This topic was modified 4 years, 10 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
Viewing 4 replies - 1 through 4 (of 4 total)

  • What is your concern? Plugin safety?

    Your original premise does not take into account the RSS feed or the REST API, which will both show you a post outside of the normal browser mode.
    You can also do redirects based on variables such as cookies, before WP even loads.

    Thread Starter sayze35

    (@sayze35)

    Hi Joy,

    Are you saying a nonmember could access page content, WP pages via RSS feed or REST API, to bypass default WP user security?

    But yes, plugin safety, trust, etc. WordPress is solid, Right? But not all plugins are solid.

    Thread Starter sayze35

    (@sayze35)

    Anyone know of nginx rules to only allow users to access a page?

    I’m just saying that the browser is not the only way to show a post/page, so putting a check for user logged in before outputting to the browser only covers one scenario. Of course, that’s what the password protected page does also. It only returns the content if the correct password is available. This is likely checked in the feed as well as REST API. But the hook you mentioned for checking the user login might not.
    Using password protected pages for a membership site is not that great since each page could have a different password, and it’s the same one for everyone, and changing it means changing it for every page. That’s just not what it was designed for.

    You might ought to search somewhere else for nginx rules.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘securing page with/without private’ is closed to new replies.