Password Protect Site puts a single password between your front-end and the public internet. Visitors see a branded login screen, enter the shared password, and gain access for a configurable session length. It’s ideal for staging sites, soft launches, members-only previews, or any time you need to gate a site without setting up user accounts.
What this feature does
When enabled, AdminEase intercepts every front-end request before WordPress renders it. If the visitor hasn’t entered the correct password yet, they see your password-entry page. Once they authenticate, AdminEase issues a session cookie tied to their IP and device, and they pass through to the real site.
Logged-in administrators (anyone with manage_options) bypass the gate automatically. Pro adds finer-grained access control: bypass by user role, whitelist by IP, and configurable “remember me” durations.
Password Protect Site is a single shared password for everyone, not user accounts. It’s designed for the “coming soon” or “internal preview” use case. For per-user access control, use WordPress’s built-in user system or a membership plugin.
How to enable it
- Open AdminEase › Security. Click AdminEase in the WordPress admin menu, then switch to the Security tab.
- Pick a strong password. Enter a password in the Site Password field. Treat it like any shared credential: long, hard to guess, and rotated when someone with the password leaves the project.
- Customise the entry page. Fill in Page Title, Headline, and Message. Pick brand colours. The defaults work, but a custom message reassures visitors that they’ve reached the right place.
- Toggle Enable Password Protection on and save. AdminEase starts gating the site as soon as the settings are saved. Test in a private/incognito window to confirm.
If you forget your password and you’re also logged out of WordPress admin, you can’t reach the dashboard to disable the feature. Always test in a private window first while keeping your admin tab open in the regular browser. As a fallback, you can disable AdminEase via SFTP by renaming the adminease/ plugin folder, which restores normal access.
Settings reference
Core settings (free)
| Setting | What it does | Default |
|---|---|---|
| Enable Password Protection | Master switch. While on, all front-end requests from non-admins go through the password gate. | Off |
| Site Password | The shared password visitors must enter. Required when the master switch is on. Stored hashed using WordPress bcrypt-compatible hashing. Never displayed back in the form after saving. | Empty |
| Page Title | The HTML <title> shown in the browser tab. |
Site Name: Password Protected |
| Headline | The big text at the top of the entry page. | Site Name |
| Message | Body text shown above the password input. Allows basic HTML. | “This site is password protected. Please enter the password to access the site.” |
| Show Site Logo | Displays your WordPress site icon (set under Settings › General) above the headline. | On |
| Primary Color | Background and accent colour for the page. | #0073aa |
| Secondary Color | Border and secondary UI colour. | #23282d |
| Text Color | Body-text colour for the headline and message. | #333333 |
| Bind Authentication To IP | When on, invalidates the auth cookie if the client IP changes. Adds an extra security layer by binding the HMAC signature to the visitor’s IP address. Disable for mobile users on changing networks or users behind corporate proxies. | Off |
| Auto-load Access Log | When on, the access-log panel fetches its first page as soon as the AdminEase dashboard opens. Off means you click Refresh manually. | Off |
| Access Log Retention | Maximum number of access log entries to keep in the database. Set to 0 to disable logging completely. Maximum allowed: 10,000 entries. | 1,000 |
| Excluded Pages | Multi-select with AJAX autocomplete. Pages picked here remain publicly accessible even with the gate on. Useful for landing pages, privacy policies, or webhook endpoints. Searches posts, pages, and custom post types. | Empty |
| Bypass On Archives & Home | When on, archive pages, the blog index, category and tag pages, and the home page bypass the password gate. All other pages remain protected. | Off |
| Included Pages | Multi-select with AJAX autocomplete. When populated, only the pages listed here are gated; everything else is public. Takes precedence over Excluded Pages. Inverts the default behaviour. | Empty |
Pro extras
| Setting | What it does | Default |
|---|---|---|
| Bypass Password Protection For Roles Pro | Multi-select of WordPress user roles. Logged-in users in any of the chosen roles skip the password gate. | Empty |
| Whitelisted IP Addresses Pro | One IP per line. Requests from these addresses pass through without seeing the gate. | Empty |
| Remember Device Pro | How long a successful login is remembered before the visitor needs to enter the password again. Choose 1 day, 1 week, 1 month, or a custom duration. | 1 day |
| Custom time Pro | Free-form duration in seconds, used when Remember Device is set to Other. | Empty |
Excluded vs included pages
The two list fields work together but in opposite directions:
If both lists have entries, Included Pages wins: AdminEase treats the rest of the site as public and gates only the listed pages. Use one list at a time for predictable behaviour.
Page selection uses an autocomplete that searches your posts, pages, and custom post types as you type, so you don’t need to know IDs.
Using the access log
Once the feature is on, an Access Log panel appears below the settings on the Security tab. Each row records a successful or failed entry attempt with timestamp, IP, country, user agent, attempted password (failed attempts only), and the result.
Action buttons above the table let you Refresh the list, Clear all entries, or Download the log as a CSV for offline review or compliance reporting.
Failed-attempt lockout
Repeated wrong-password attempts from the same IP are tracked. After enough failures, AdminEase rejects further attempts from that IP for a cooldown period. An hourly cleanup task expires old failed-attempt records so a single bad afternoon doesn’t lock an IP forever.
What happens behind the scenes
AdminEase uses stateless cookies instead of PHP sessions. Each auth cookie contains version, issued-at timestamp, expiration timestamp, and an HMAC signature. The signature is derived from the stored password hash and WordPress salt, so validation requires no database lookups beyond reading the stored password on boot.
When Bind Authentication To IP is enabled, the IP address is hashed into the signature. If the visitor’s IP changes, the signature no longer matches and the cookie is rejected, forcing re-authentication.
The gate intercepts requests on the WordPress template_redirect hook before any template loads. Admin users (capability manage_options) bypass the gate entirely. The adminease_password_protect_site_check_access filter allows plugins to short-circuit the gate.
Failed login attempts are tracked in transients (stored in your database cache). Each IP gets its own transient keyed by MD5 hash of the IP, storing attempt count and timestamp. The TTL is anchored to the first attempt, resetting after each successful login or when the window expires.
Passwords are hashed on save using wp_hash_password(), which uses WordPress’s bcrypt-compatible phpass algorithm. Legacy plaintext passwords are detected on login and automatically migrated to hashed format on the first successful authentication.
Troubleshooting
I locked myself out
Easiest path: log in to WordPress admin in a separate tab (administrators bypass the gate) and turn the feature off. If you’re also logged out, rename the adminease/ plugin folder via SFTP to deactivate the plugin, then turn the feature off and re-enable AdminEase.
The password screen renders but submitting does nothing
Check that JavaScript is enabled on the front-end and that no security plugin is blocking the adminease_site_password_check AJAX action. Aggressive caching plugins can also serve a stale version of the page; clear the cache and try again.
A page that should be public is being gated
Add it to Excluded Pages, or check that Included Pages isn’t accidentally set to a small list (which makes everything else public, but only those listed pages gated). Empty both lists if the result is unexpected.
A whitelisted IP still sees the gate
Two common causes: your visitor’s real IP is being hidden by a CDN or reverse proxy (so AdminEase sees the proxy IP, not theirs), or the IP in your whitelist is the visitor’s IPv6 address but they’re actually visiting over IPv4 (or vice versa). Check the access log to see exactly which IP AdminEase recorded.
The remember-me window seems wrong
The cookie is bound to the visitor’s IP. If their IP changes (mobile network handoff, VPN switch, ISP rotation), they’ll be prompted again. This is intentional and prevents cookie theft. If it’s frustrating in your environment, increase Remember Device so they don’t notice as often.