• Hi all

    I have a single page passworded on my site. However the WP password protection does not seem very safe because after a user has logged into the page to see the content they can just keep going back to the page, even after closing the browser.

    I have looked this up and can see many past posts about the password being stored for 10 days as a cookie and I have found posts that advise about hacks and then finally I found that in v 3.7 or WP control was added to the wp-login.php file to allow cookie timeout changes.

    However my problem appears to be that even though I have changed the wp-login.php file to zero – i.e. every session must produce a login, it does not seem to work and I am wondering if I have made the change correct.

    The article I read said this section is the part that needs changing:-

    /**
    	 * Filter the life span of the post password cookie.
    	 *
    	 * By default, the cookie expires 10 days from creation. To turn this
    	 * into a session cookie, return 0.
    	 *
    	 * @since 3.7.0
    	 *
    	 * @param int $expires The expiry time, as passed to setcookie().
    	 */
    	$expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
    	$secure = ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) );
    	setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );

    This starts about line 467.

    So I changed this part: time() + 10 * DAY_IN_SECONDS to:

    time() + 0 * DAY_IN_SECONDS

    as the notes seem to suggest that is what to do.

    However if I change this to zero the password protection for the page does not work at all. Also the other thing is that, presumably, each time there is an update the wp-login.php file will be replaced, meaning having to change it each time.

    The site is here: https://www.farnhamscouting.com and as this is a charity and the passworded page is a list of members I only want members to see the content but, as has been said many times in other posts about this, if the page is viewed from an internet cafe or public computer then it seems open to the world!

    Can anyone provide any helps/ideas how to get the password expiry to work in wp-login.php properly?

    Cheers

    SteveB

  • The topic ‘SIngle Page Password Problems’ is closed to new replies.