How to Password Protect a WordPress Page

Despite ongoing efforts to replace password protection with more robust and reliable security solutions — such as two-factor authentication or location-based access approval — recent research notes that “password authentication is still ubiquitous although alternatives have been developed to overcome its shortcomings”.

So why this continued passion for passwords despite their potential problems? It’s simple: Familiarity and ease of use. The mechanism for password protection is widely understood and easy to implement — and in many cases, more complex defense efforts can cause more problems than they solve.

Consider the use case of securing a WordPress website or blog. While site owners could invest substantive time and effort into in-depth security precautions, this popular content management system (CMS) offers built-in password functionality to help defend sites against unwanted access and editing.

In this piece, we’ll explore the pros and cons of password processes and provide an easy-to-follow framework for WordPress page and site password protection.

The Pros of Password Protection

Passwords remain the most common form of digital security because they offer a low bar to entry. If you know the password you’re granted access — if you don’t, you’re turned away.

They can also be easily combined with other security solutions to improve overall defense. For example, current-generation smartphones often leverage both biometric technologies — such as fingerprint or facial recognition sensors — and password-based backups.

And while passwords often get a bad reputation for regular compromise, much of this issue stems from poor password selection. If users select their preferred passwords carefully, don’t use them across multiple sites and adopt a policy of regular password change, it’s possible to significantly reduce digital risk.

Avoiding Password Pitfalls

Passwords aren’t perfect and for attackers looking to expend minimal malicious effort, they’re a potentially attractive prospect. In truth, however, the biggest risk comes not from external but internal factors — users who unintentionally stumble into three common pitfalls:

1. Poor Password Choice

No one wants to forget their password. As a result, it’s tempting to pick something simple and easy to remember — but this can rapidly get out of hand. Consider that in 2019, the three most common passwords were “12345”, “123456”, “123456789”. While these are easy for users to remember, they’re also simple for attackers to guess.

2. Defensive Duplication

The average user now has between 70 and 80 passwords — so it’s no surprise that password reuse and duplication is common. The problem? If attackers compromise one account or website using a duplicated password, they’ve potentially compromised dozens or more.

3. Static Security Practices

The sheer number of passwords required to navigate digital-first landscapes means that users are often reluctant to change login credentials Many also use physical media — such as sticky notes — to remind themselves of specific site or account passwords. In both cases, the existence of passwords that aren’t regularly updated creates a potential security issue.

How to Password Protect a WordPress Page

If you’re building a WordPress site, chances are you’re continually creating and evaluating new content to see which pages offer the biggest boost to user traffic and search engine optimization.

As a result, it’s critical to protect these posts — to ensure that unauthorized users can’t view, edit or delete data before you’re ready to publish pages or have the chance to make critical changes.

But how do you password protect a page? Thankfully, WordPress makes it easy with a quick and painless built-in tool.

Follow these six steps to quickly password protect a single page or post:

  1. Log in to your WordPress account
  2. Go to Posts, then All Posts
  3. Click Edit on a specific page or post
  4. Using the Publish menu, change the visibility to Password Protected
  5. Enter a password
  6. Publish your newly-protected page

1. Log in to your WordPress account.

Make sure to log in as an administrator or you won’t be able to make any changes to post visibility or security.

2. Go to “Posts”, then “All Posts”.

From your dashboard, click through to “Posts” and then “All Posts” to select the page or post you want.

3. Click “Edit” on a specific page or post.

Password protection is implemented on a per-post basis, so you’ll need to add security to individual pages as required.

4. Using the Publish menu, change the visibility to “Password Protected”.

By default, WordPress pages are set to Public — meaning anyone can view them. Private pages can only be accessed by designated Admins and Editors, and Password Protected offers the highest level of security.

5. Enter a password.

Choose your password. As noted by the official WordPress site, the maximum length is 20 characters.

6. Publish your newly-protected page

To apply any changes made, you must click the “Publish” button for unpublished pages or posts, or the “Update” button for already-posted content.

How to Password Protect a WordPress Site

If you’re looking for even more protection it’s possible to password protect your entire WordPress site. This is often a good idea if your site isn’t ready to go live yet or you’re in the middle of in-depth page and post development.

The caveat? WordPress doesn’t natively offer this feature, meaning you’ve got two options: Plugins and HTTP authentication. Let’s explore each in more detail.


There are a host of free and for-pay WordPress plugins that make it possible to password protect your entire site. While the details differ from plugin to plugin, the basics are the same — you select a password for your site and specify any exceptions, such as visitors from specific IP addresses, then apply the changes. When users visit your site, they’ll see a WordPress login screen that requires a valid password for access.

HTTP Authentication

This type of password protection happens at the web hosting level; many web hosting providers now offer one-click HTTP authentication for your website, regardless of what CMS you’re running. Just like plugin-based password protection you select a password for your site along with any exceptions. Unlike plugin solutions, visitors won’t even see a WordPress logo when they arrive — they’ll simply see a text box asking them to log in.

Keep it Secret, Keep it Safe

Despite potential pitfalls, passwords offer substantive protective benefits — so long as users avoid common letter and number combinations, don’t duplicate these defenses and regularly update login credentials.

For WordPress website owners and administrators, meanwhile, the judicious use of passwords offers peace of mind by limiting access to reduce potential security risk.