WordPress has a built-in feature to password protect individual pages and posts, but many site owners don’t realise it’s there until they need it. Whether you’re hiding client work, sharing a draft with a collaborator, or creating a members-only resource without a full membership plugin, setting a password on a single piece of content takes about thirty seconds.
Unlike making a page private — which requires a logged-in WordPress account to view — password protection lets anyone with the correct password access the content without registering or logging in. That makes it practical for sharing content selectively without adding users to your site. If you’re still working through the basics of your WordPress build, the step-by-step guide to building a WordPress website covers everything from choosing a host to going live.
Quick Answer
Open the post or page in the WordPress block editor. In the Settings panel on the right, click Visibility (set to Public by default). Select Password protected, enter a password, and click Publish or Update. Visitors will see a password prompt when they access that URL.
When to Use Password Protection
A few situations where password-protecting a page or post makes practical sense:
- Sharing a completed page with a client before making it public
- Distributing a lead magnet, guide, or template to a specific group
- Locking older or seasonal content without fully unpublishing it
- Testing a landing page or sales page before launch
- Sharing work-in-progress content with a collaborator or reviewer
Password protection is built into WordPress core, so no plugin is required. For more complex access control — such as restricting content to registered subscribers or paid members — you’d need a dedicated membership plugin. For straightforward single-password access, the native feature handles it cleanly. If you want a broader view of your site’s overall security posture, securing your WordPress website from the ground up is a useful starting point.
How to Password Protect a Page or Post in WordPress
Step 1: Open the page or post in the block editor
From your WordPress dashboard, go to Pages or Posts, find the content you want to protect, and click to open it in the editor. This works on both pages and standard posts.
Step 2: Find the Visibility setting
Look at the Settings panel on the right side of the editor screen. If the panel isn’t visible, click the gear icon in the top-right corner of the editor to open it.
Under the Post tab (or Page tab for a page), you’ll see a Summary section near the top. It shows the current Visibility status — by default this is set to Public.
Step 3: Change visibility to Password Protected
Click the word Public next to Visibility. A small panel drops down with three options:
- Public — visible to everyone (default)
- Private — visible only to logged-in editors and administrators on your site
- Password Protected — accessible to anyone who enters the correct password
Select Password protected. A Password field appears below the options. Type in the password you want to use. Passwords are case-sensitive, so note exactly what you enter. Click Apply to confirm the selection.
Step 4: Publish or update
Click Publish for a new post, or Update for an existing one. The password protection takes effect immediately — visitors will see a password prompt instead of the content when they access the URL.
Step 5: Test the password prompt
Open the page or post URL in an incognito or private browser window to bypass any editor session cookies. You should see a message along the lines of “This content is password protected” followed by a password entry field. Enter the password you set to confirm everything is working before sharing the link.
Practical Tips
Passwords are not automatically sent to anyone — you need to share the password with your intended recipients yourself. There is no notification or delivery mechanism built into WordPress for this feature.
The page title remains visible before visitors enter the password. The title appears above the password prompt, so don’t include anything sensitive in the title itself if the content is meant to be confidential.
WordPress remembers the password per browser session using a cookie. Once a visitor enters the correct password, they won’t be prompted again until the cookie expires — so recipients don’t need to re-enter it on every visit.
Multiple pages can share the same password. Set the same password on several pages and anyone with that password can access all of them. This is useful when you want to group a set of resources behind a single access code.
In my experience, using a short memorable phrase — three or four unrelated words strung together — works better than a random string of characters. It’s easier to share verbally or in an email without typos. For situations where you need role-based access control rather than a shared password, WordPress user roles and permissions give you much finer control over who can see what.
Common Mistakes
Forgetting to share the password — once you publish the protected post, nothing sends the password to anyone. It’s easy to set protection and forget to communicate the access details to the people who need them.
Using an obvious password — a simple string like “password” or the page title gives almost no security. Anyone with the URL could guess it quickly. Use something non-obvious and unrelated to the content.
Expecting it to hide the page from search engines — WordPress password protection does not automatically add a noindex directive. Search engines can still crawl and index the page title and URL. If the page needs to be completely invisible to search engines, add a noindex tag or keep the content as a draft until it’s ready. The official WordPress documentation covers content visibility options in more detail.
Password Protected vs Private vs Draft
It’s worth understanding the differences between WordPress’s non-public visibility options:
- Draft — saved but not published; only accessible to logged-in editors and admins in the WordPress dashboard
- Private — published, but only visible to logged-in editors and admins on the frontend
- Password Protected — published and accessible to anyone with the correct password, no WordPress account required
Password protection is the only option that lets you share content with someone who does not have a WordPress account on your site. That distinction matters when you’re working with clients, contractors, or an audience that shouldn’t need to register just to view a page.
Conclusion
Password protecting a page or post in WordPress takes less than a minute and works straight out of the box. It’s easy to overlook because the setting is tucked inside Visibility rather than being a standalone menu option. Use it for client previews, selective sharing, or any situation where you want to control access without building a full membership system. For a broader check of how secure your site actually is, a WordPress security audit is a practical next step once the basics are covered.
Etienne Basson works with website systems, SEO-driven site architecture, and technical implementation. He writes practical guides on building, structuring, and optimizing websites for long-term growth.