Granting permissions-based access to WordPress content

Whether your intention is to password protect an application form, grant exclusive access to insider materials, or ensure that a customer has purchased a digital product before they can view a related video, WordPress offers several methods for placing a “gateway” in front of your content.

In this article, we’ll review three recommended approaches, discuss pros and cons of each and take the example of password protecting an affiliate marketing application form.

1. Password Protect the Page or Post

WordPress ships with a basic password protection mechanism; when editing a Post or Page, you can click on the Visibility setting, toward the top-right under Publish, and select Password Protected:

Having provided your desired password, click Publish (or Update) to apply.

Open up the page to see for yourself; you’ll be prompted for the password until you’ve entered it successfully. (Note that WordPress will automatically prepend the word “Protected” to password-protected content.)

Once the user has authenticated, their browser will download a cookie which will keep them logged in for some time and able to view the content.

Advantages to this approach include:

1. No need to create, edit or pre-screen WordPress user accounts;
2. Ships with WordPress by default; no plugin or custom code required.

However, while the simplest, this approach often isn’t ideal:

1. Anyone who has the password is free to share it with anyone else;
2. You can’t determine who has authenticated to view the content;
3. If and when you need to change the password, you’ll be forced to contact anyone who needs access to reissue the new password.

For these reasons, we typically do not recommend basic WordPress password protection except for low-stakes content which will be distributed to a small number of users, who will not often need to revisit it.

2. Use Groups

Groups is a terrific little plugin which allows you to organize your WordPress users into, well, groups.

You can download the core version directly from the WordPress repo; there are a variety of premium extensions available as well.

Groups are versatile and can be applied to a variety of use cases; for today, we’ll take a look at their role in protecting your content.

Begin with installing and activating the core plugin; then, you can create a new Group:

If desired, you can take a moment to add WordPress user capabilities as well (i.e. the ability to author or edit a post); for purposes of granting access to content, however, you can leave that field blank.

In order to be placed in — and recognized as belonging to a group — your users must have accounts on your WordPress website. You can either create new accounts as needed, or edit existing accounts:

Returning to your Page, you can now designate a Group or Groups for access (leaving the post Status as Public.)

You can also use the shortcodes [groups_member] and [groups_non_member] to tailor the content to the user based on their group status:

Providing a more helpful, user-friendly message to users who aren’t logged in or otherwise authorized:

Advantages to this approach include:

1. If you need to revoke access for a particular user, you can do so without interfering with access for all others;
2. Once a user has logged in, you can associate any subsequent activity (page views, form submissions, digital downloads, etc.) to their specific account.

Disadvantages include:

1. You’ll need to import or create any user accounts before a user can be granted access, or automate connection of the Groups plugin to some other mechanism (i.e., a WooCommerce purchase);

3. Use WP Fusion

For our clients who already work with an email marketing platform or CRM, use of WP Fusion often represents a best-of-both worlds approach to gated content; offering the relative ease-of-use in the first approach, with the user-specific capabilities of the second.

Once installed and activated, you can connect it to your CRM:

Then, returning to your gated content, you can specify which Tags (in your CRM or email marketing platform) are required for access:

WP Fusion handles synchronizing user activity to and from your WordPress website and CRM/email marketing platform, making it easy to re-use any business logic you’ve established in one or the other.

Once again, a user without permission will be shown an appropriate message:

As you would expect, that messaging can be updated in WP Fusion’s settings:

Or customized extensively with shortcodes.

Advantages to this approach include:

1. Automate creation of “groups” based permissions, based on business logic already located within your CRM, email marketing platform and compatible WordPress plugins.

Disadvantages include:

1. WP Fusion is expensive (although in our view, worth every penny);
2. Assumes and requires use of a compatible CRM or email marketing platform.

Beware the Cache

One final word of caution: WordPress caching plugins don’t always play nicely with gated content, at least not by default. (Often, however, they can be readily configured to do so.)

Here at Webster Park, all of our hosting clients benefit from use of the Litespeed web server and its caching plugin; however, it’s often necessary to instruct the plugin to exclude password-protected pages from caching. (Note that many caching plugins are pre-configured to work with popular plugins like WooCommerce, out of the box.)

From your dashboard, open up your caching plugin’s Settings menu and find the tab which allows you to exclude Pages, Posts or other forms of gated content.

Or in WP Rocket:

TL;DR

• Consider use of WordPress’ default password protection, for content which will be accessed infrequently and for which you do not need to track user-specific activity;
• Consider use of the Groups plugin to grant access to a set of WordPress users, but be aware that you will need to import, create or edit user accounts for all who will need access;
• Consider use of WP Fusion to automate granting access based on business logic which already exists in your CRM, email marketing platform or alongside compatible WordPress plugins.
• Beware the possibility that your caching plugin will cache either an authenticated or an unauthenticated view of gated content; ensure that your plugin either supports your chosen solution out of the box, or that you have taken steps to exclude the content from caching.