Basic password protection without using users and roles

You could try hooking into template_include and showing the user a completely different page containing the login form (without changing the URL) if the post is password protected. Combine that WordPress’ built in post password functionality and you have something really close to what you want (blocking an entire page).

You could also use {{insert whatever method you prefer}} to check if a post needs a password protection thing. Custom fields, block a whole category, etc.

Here’s a simple example using the template_include filter.

<?php
add_filter('template_include', 'wpse77865_hijack_template');
/**
 * Hooked into `template_redirect`.  Checks to see if we're on a singular page
 * and if it's password protected show the user a completely different page.
 *
 * @param   string $tmp The template
 * @uses    locate_template
 * @return  string
 */
function wpse77865_hijack_template($tmp)
{
    if (
        is_singular() &&
        post_password_required(get_queried_object()) &&
        ($pw = locate_template('password.php'))
    ) {
        // if we're here, we are on a singular page
        // need a password and locate_template actually found
        // password.php in our child or parent theme.
        $tmp = $pw;
    }

    return $tmp;
}

The above will replace the single.php template on posts that require a password (eg. the user hasn’t entered one yet) with a template file named password.php in your theme and/or child theme. That template might look something like this (ripped from twenty twelve).

<?php
/**
 * Post password form template.
 *
 * @package WordPress
 */

get_header('password'); ?>

<div id="primary">
    <div id="content" role="main">

        <?php while (have_posts()): the_post(); ?>

            <article id="post-<?php the_ID(); ?>" <?php post_class(); ?>>
                <header class="entry-header">
                    <h1 class="entry-title"><?php _e('Password Required', 'wpse'); ?></h1>
                </header><!-- .entry-header -->

                <div class="entry-content">
                    <?php echo get_the_password_form(); ?>
                </div><!-- .entry-content -->

                </footer><!-- .entry-meta -->
            </article><!-- #post -->

        <?php endwhile; // end of the loop. ?>

    </div><!-- #content -->
</div><!-- #primary -->

<?php get_footer('password'); ?>

As you can see, no hint of the content, just the password form. After the user enters the post password, they’ll see the normal page. Not sure if this will mess with the cart or checkout procress, but I’m betting that it won’t.

Here’s the template_include bit as a plugin.

Related Posts:

  1. Where to securely store API keys and passwords in WordPress?
  2. Why are passwords exportable as plain text in WordPress?
  3. How is password strength calculated?
  4. Make password invalid once logged out of password-protected page
  5. Can’t reset WordPress password
  6. Is the “lost password” feature truly a vulnerability?
  7. Frontend Password change
  8. Is it possible to reduce the minimum character length for passwords?
  9. Is there any point setting the keys and salts in wp-config.php?
  10. Preventing BFA in WordPress without using a plugin
  11. When is wp_set_password() called or how to capture a password
  12. How to delete Passwrd Protected posts cookies when a user logged out from the site
  13. Moving away from MD5: Where to declare the custom global $wp_hasher?
  14. How to get WordPress to send Password Reset Link Email instead of New Password?
  15. How can I force a specific password?
  16. Specific way to allow WordPress users to view their current password? And edit it?
  17. Can a WordPress administrator see other users’ passwords?
  18. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  19. Password-protect feed and make it usable in major aggregators
  20. Could a user account with a stolen password compromised entire WP site?
  21. How to set custom validation for WordPress Passwords?
  22. My WP site and password was hacked, what to do? [closed]
  23. Is my WP site being hacked?
  24. How to get real password (before encrypt) when register a user?
  25. How to delete Password Protected posts cookies when a user logged out from the site
  26. Directory to store secure file
  27. Can you alter the default wordpress strong password requirements?
  28. SSL Error: unable to get local issuer certificate
  29. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  30. Where does Internet Explorer store saved passwords?
  31. Infected Files – what to do [closed]
  32. Why does WordPress need my private ssh key to update?
  33. Why does WordPress have more than one salt?
  34. What is the ideal setup to address security concerns?
  35. Why “Contact Form 7” doesn’t update PHPmailer library?
  36. Can someone explain the use cases of esc_html?
  37. Close a wordpress blog – keep site as it is but prevent hacks
  38. Prevent setup-config.php page from appearing when host blocks database
  39. WordPress and Security
  40. Is /wp-login.php?redirect_to[] exploitable?
  41. Add new password rule to Ultimate Member register form
  42. brute force attack even though it is limited by IP
  43. What should I do about hacked server?
  44. How can I tell who changed the password?
  45. WordPress website Security [closed]
  46. How do I authenticate WP users from a chrome extension?
  47. Website is being flooded [closed]
  48. How many security plugins are too many? [closed]
  49. Will WordPress username displayed somewhere in the site?
  50. How to limit WordPress pages during updates?
  51. rms_unique_wp_mu_pl_fl_nm.php
  52. Why was my blog post inserted lot’s of ad links by others?
  53. Auth cookie value security risk?
  54. Security – Shortcode injection attack
  55. Registration Plugin – Recaptcha integration
  56. How to combat flooding admin-ajax.php?
  57. wp_create_nonce function doesn’t work inside a plugin?
  58. Would it be dangerous to send all the wp_options to javascript file?
  59. Should I disable directory listing for wp-includes?
  60. Nonce failing on form submission
  61. Safety side of storing emoji into database
  62. How can I safely hide the fact that my website runs on WordPress? [closed]
  63. How can I display nickname instead username in links
  64. My WordPress Websites are always under attack
  65. Is there value in using a wp_nonce for POST requests?
  66. How to hide easy access to my website temporarily?
  67. Can I Remove xmlrpc.php completely?
  68. Security concerns with external links
  69. Uploading .webm format on WordPress results in security guidline breach and fail
  70. Completely disabling password reset/recovery
  71. WordPress Password security related questions
  72. .htaccess password protection bypassed
  73. Session Cookie security questions
  74. Storing FTP details in wp-config.php
  75. Too many login attempts
  76. Spam injected in w3 total cache page cache [closed]
  77. How to distinguish between a hack and an encoding error?
  78. Prevent editor from adding script or form
  79. How to change location of wp-config.php to folder or 2 folders up?
  80. Webservice credential storage [duplicate]
  81. Finding where a snippet of code is coming from
  82. How can I save a password securely as a settings field
  83. Remove hacked code – out of ideas! [closed]
  84. Is this plugin safe to run?
  85. Is the Block Bad Queries Plugin Still Relevant?
  86. Create Woocommerce account password post-checkout on thank you page
  87. Automatic chage password of pages after some time
  88. Block JSON access over the net
  89. Bing/msn bots is heavily requesting random of my website
  90. Security: Critical backend outside of wordpress
  91. Advice On How to Backup WordPress
  92. Write mysql credentials in plugin
  93. Should I change the default file and folder permissions?
  94. SWF in wordpress post
  95. WordPress exploited theme is causing high io load on server
  96. How to rewrite rules for WP-security in Nginx?
  97. Is it a bad idea to CHMOD 777 all the files on your site?
  98. How to stop repeated hack on header.php of custom theme? [closed]
  99. How to test if my server is vulnerable to the ShellShock bug?
  100. Is wp-cron.php vulnerable to external attacks and how to protect it?