Password protect page with multiple passwords

by

Here’s just a demo test for fun, just to see if this might be possible:

Demo

First we set the post’s password, the usual way:

password

Then we create a custom field called wpse_extra_passwords that takes comma seperated passwords:

extra passwords

These are the extra passwords for that post.

Let’s define the following helper function, based on the post_password_required() core function:

/**
 * Helper function, check password + extra passwords
 */
function wpse_post_password_required( $post = null ) 
{
        $post = get_post($post);

        if ( empty( $post->post_password ) )
                return false;

        if ( ! isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) )
                return true;

        require_once ABSPATH . WPINC . '/class-phpass.php';
        $hasher = new PasswordHash( 8, true );

        $hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
        if ( 0 !== strpos( $hash, '$P$B' ) )
                return true;

        // Check the current password
        if( $hasher->CheckPassword( $post->post_password, $hash ) )
            return false;

        // Fetch extra passwords
        if( ! $extra_passwords = get_post_meta( $post->ID, 'wpse_extra_passwords', true ) )
            return true;

        // Check these extra passwords 
        $extra = explode( ',', $extra_passwords );      
        foreach( (array) $extra as $password )
        {
            $password = trim( $password );
            if( ! empty( $password ) && $hasher->CheckPassword( $password, $hash ) )
                return false;           
        }   
        return true;
}

Then we hook into the the_password_form filter and target the single post object in the main loop:

/**
 * Support extra post passwords for single posts in the main loop
 */
add_filter( 'the_password_form', function( $output )
{
    if( ! is_single() || ! in_the_loop() || did_action( 'the_password_form' ) )
        return $output;

    $post = get_post();

    // Display password form if none of the passwords matches:  
    if( wpse_post_password_required( $post ) )
        return $output;

    // Get the current password
    $password = $post->post_password;

    // Temporary remove it
    $post->post_password = '';

    // Fetch the content
    $content = get_the_content();

    // Set the password back
    $post->post_password = $password;

    return $content;
} );

Hopefully you can test it and play with it further.

Notes

You mentioned passwords like 2314. It’s very easy to write a program that can guess simple passwords like that. So I used a little bit stronger passwords in this demo.

Leave a Comment