WP-Safety

PPWP – Password Protect Pages Security & Risk Analysis

wordpress.org/plugins/password-protect-page

Password protect WordPress pages and posts by user roles or with multiple passwords; protect your entire website with a single password.

30K active installs v1.9.15 PHP 5.6+ WP 4.7+ Updated Dec 12, 2025
passwordpassword-protectpassword-protectionrestrict-contentsitewide
96
A · Safe
CVEs total4
Unpatched0
Last CVEAug 25, 2025
Plugin page Download
Safety Verdict

Is PPWP – Password Protect Pages Safe to Use in 2026?

Generally Safe

Score 96/100

PPWP – Password Protect Pages has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Aug 25, 2025Updated 3mo ago
Risk Assessment

The 'password-protect-page' plugin v1.9.15 presents a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and a significant number of output escapes, there are notable areas of concern. A substantial portion of the attack surface, specifically 17 out of 27 entry points (AJAX handlers and REST API routes), lacks proper authentication checks, creating significant opportunities for unauthorized actions. The presence of the `unserialize` function, even if not directly linked to a current exploit in the taint analysis, is a known security risk that should be handled with extreme caution. The vulnerability history reveals a past pattern of medium-severity vulnerabilities, including issues related to insufficient permissions, information exposure, and cross-site scripting. The absence of currently unpatched vulnerabilities is positive, but the historical occurrences suggest potential underlying weaknesses in input validation and permission handling that may not be fully mitigated.

Key Concerns

  • Unprotected AJAX handlers (15)
  • REST API routes without permission callbacks (2)
  • Use of 'unserialize' function
  • Past medium severity vulnerabilities (4)
  • Taint flows with unsanitized paths (7)
Vulnerabilities
4

PPWP – Password Protect Pages Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-5998medium · 4.3Improper Handling of Insufficient Permissions or Privileges

PPWP – Password Protect Pages <= 1.9.10 - Authenticated (Subscriber+) Content Exposure via REST API

Aug 25, 2025 Patched in 1.9.11 (1d)
CVE-2024-11280medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

PPWP – Password Protect Pages <= 1.9.5 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Dec 16, 2024 Patched in 1.9.6 (1d)
CVE-2024-0620medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

PPWP – Password Protect Pages <= 1.8.9 - Protection Mechanism Bypass

Feb 7, 2024 Patched in 1.9.0 (174d)
CVE-2022-4626medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PPWP – WordPress Password Protect Page <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 10, 2023 Patched in 1.8.6 (378d)
Code Analysis
Analyzed Mar 16, 2026

PPWP – Password Protect Pages Code Analysis

Dangerous Functions
3
Raw SQL Queries
1
57 prepared
Unescaped Output
148
400 escaped
Nonce Checks
15
Capability Checks
7
File Operations
0
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$serialize_raw_data = @unserialize( $raw_data );includes\class-ppw-functions.php:267
unserialize$meta_value = ppw_free_fix_serialize_data( @unserialize( $val->meta_value ) );includes\services\class-ppw-passwords.php:653
unserialize$meta_value = ppw_free_fix_serialize_data( @unserialize( $value->meta_value ) );includes\services\class-ppw-passwords.php:699

Bundled Libraries

Select2

SQL Query Safety

98% prepared58 total queries

Output Escaping

73% escaped548 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

10 flows7 with unsanitized paths
entire_site_redirect_after_enter_password (includes\services\class-ppw-entire-site.php:97)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
17 unprotected

PPWP – Password Protect Pages Attack Surface

Entry Points27
Unprotected17

AJAX Handlers 15

authwp_ajax_ppw_free_set_passwordincludes\class-ppw.php:320
authwp_ajax_ppw_free_update_general_settingsincludes\class-ppw.php:322
authwp_ajax_ppw_free_update_entire_site_settingsincludes\class-ppw.php:323
authwp_ajax_ppw_update_post_statusincludes\class-ppw.php:341
authwp_ajax_ppw_free_update_misc_settingsincludes\class-ppw.php:359
authwp_ajax_ppw_free_update_category_settingsincludes\class-ppw.php:360
authwp_ajax_ppw_free_update_tag_settingsincludes\class-ppw.php:361
authwp_ajax_ppw_free_update_shortcode_settingsincludes\class-ppw.php:362
authwp_ajax_ppw_free_update_external_settingsincludes\class-ppw.php:363
authwp_ajax_ppw_free_restore_wp_passwordsincludes\class-ppw.php:364
authwp_ajax_ppw_free_subscribe_requestincludes\class-ppw.php:379
noprivwp_ajax_ppw_validate_passwordincludes\class-ppw.php:414
authwp_ajax_ppw_validate_passwordincludes\class-ppw.php:415
authwp_ajax_ppw_pcp_validate_passwordincludes\services\class-ppw-content-protection.php:51
noprivwp_ajax_ppw_pcp_validate_passwordincludes\services\class-ppw-content-protection.php:52

REST API Routes 11

POST/wp-json/wppp/v1check-content-password/(?P<id>\d+)includes\class-ppw-api.php:23
GET/wp-json/wppp/v1master-passwordsincludes\class-ppw-api.php:53
DELETE/wp-json/wppp/v1master-passwordsincludes\class-ppw-api.php:66
PUT/wp-json/wppp/v1master-passwordsincludes\class-ppw-api.php:79
POST/wp-json/wppp/v1master-passwords/statusincludes\class-ppw-api.php:92
POST/wp-json/wppp/v1master-passwordsincludes\class-ppw-api.php:105
POST/wp-json/wppp/v1/master-passwords/bulk-deleteincludes\class-ppw-api.php:118
POST/wp-json/wppp/v1/master-passwords/all-expired-deleteincludes\class-ppw-api.php:131
POST/wp-json/wppp/v1validate-passwordincludes\class-ppw-api.php:145
GET/wp-json/wppp/v1pcp/(?P<id>\d+)/settingsincludes\class-ppw-api.php:159
POST/wp-json/wppp/v1pcp/(?P<id>\d+)/settingsincludes\class-ppw-api.php:173

Shortcodes 1

[ppw-content-protect] includes\class-ppw.php:337
WordPress Hooks 127
actionppwp_post_password_requiredadmin\class-ppw-admin.php:1439
actionplugins_loadedincludes\addons\beaver-builder\class-ppw-beaver-loader.php:15
filterfl_builder_custom_fieldsincludes\addons\beaver-builder\class-ppw-beaver-loader.php:26
actioninitincludes\addons\beaver-builder\class-ppw-beaver-loader.php:29
actionelementor/widgets/widgets_registeredincludes\addons\elementor\class-ppw-elementor.php:63
filterppw_shortcode_allow_bypass_valid_post_typeincludes\class-ppw-api.php:812
filterterms_clausesincludes\class-ppw-functions.php:749
filterget_termincludes\class-ppw-functions.php:750
filterget_terms_argsincludes\class-ppw-functions.php:751
actionplugins_loadedincludes\class-ppw.php:282
actionadmin_enqueue_scriptsincludes\class-ppw.php:300
actionadmin_menuincludes\class-ppw.php:301
actionadmin_noticesincludes\class-ppw.php:302
actionadd_meta_boxesincludes\class-ppw.php:304
actionlogin_form_ppw_postpassincludes\class-ppw.php:305
actionlogin_form_postpassincludes\class-ppw.php:308
actiontemplate_redirectincludes\class-ppw.php:310
actionppw_redirect_after_enter_passwordincludes\class-ppw.php:311
actionadmin_initincludes\class-ppw.php:312
filterppwp_customize_password_formincludes\class-ppw.php:321
actionadmin_initincludes\class-ppw.php:324
actionppw_render_content_generalincludes\class-ppw.php:326
actionppw_render_content_entire_siteincludes\class-ppw.php:327
filterpost_password_requiredincludes\class-ppw.php:329
actionppw_render_sitewide_content_generalincludes\class-ppw.php:335
actionpost_row_actionsincludes\class-ppw.php:339
actionpage_row_actionsincludes\class-ppw.php:340
actionplugins_loadedincludes\class-ppw.php:353
actionadmin_initincludes\class-ppw.php:354
actionppw_render_content_shortcodesincludes\class-ppw.php:365
actionppw_render_content_master_passwordsincludes\class-ppw.php:366
actionppw_render_content_miscincludes\class-ppw.php:367
actionppw_render_content_troubleshootingincludes\class-ppw.php:368
actionrest_api_initincludes\class-ppw.php:370
filterrest_post_queryincludes\class-ppw.php:373
filterrest_pre_dispatchincludes\class-ppw.php:374
filterpre_get_postsincludes\class-ppw.php:375
filterppw_content_shortcode_sourceincludes\class-ppw.php:377
actionppw_render_pcp_content_generalincludes\class-ppw.php:380
actionppw_render_external_content_recaptchaincludes\class-ppw.php:381
actionppw_render_external_content_configurationincludes\class-ppw.php:382
actionplugin_row_metaincludes\class-ppw.php:383
actionppwp_render_sitewide_countdownincludes\class-ppw.php:384
actionppwp_sitewide_hide_password_formincludes\class-ppw.php:385
actionppwp_countdown_timer_stylesincludes\class-ppw.php:386
filterppwp_customizer_custom_fieldsincludes\class-ppw.php:389
actiontemplate_redirectincludes\class-ppw.php:407
actionwp_enqueue_scriptsincludes\class-ppw.php:408
filterthe_contentincludes\class-ppw.php:409
filterppw_cookie_expireincludes\class-ppw.php:410
filterppw_sitewide_cookie_expirationincludes\class-ppw.php:411
filterppw_sitewide_form_actionincludes\class-ppw.php:412
filteret_builder_load_actionsincludes\class-ppw.php:416
filterthe_password_formincludes\class-ppw.php:422
actioninitincludes\class-ppw.php:425
filterposts_where_pagedincludes\class-ppw.php:427
filterwidget_posts_argsincludes\class-ppw.php:428
filterget_next_post_whereincludes\class-ppw.php:429
filterget_previous_post_whereincludes\class-ppw.php:430
filterget_pagesincludes\class-ppw.php:431
filterwpseo_exclude_from_sitemap_by_post_idsincludes\class-ppw.php:432
filterppwp_ppf_action_urlincludes\class-ppw.php:434
actionwpincludes\class-ppw.php:435
actioncustomize_controls_print_stylesincludes\customizers\class-ppw-presets.php:286
filterpost_password_requiredincludes\services\class-ppw-category.php:53
filterppw_is_valid_passwordincludes\services\class-ppw-category.php:54
actioncategory_pre_add_formincludes\services\class-ppw-category.php:55
filterppw_is_valid_cookieincludes\services\class-ppw-category.php:58
filterppwp_post_password_requiredincludes\services\class-ppw-category.php:59
filterppwp_ppf_action_urlincludes\services\class-ppw-category.php:149
actioninitincludes\services\class-ppw-content-protection.php:50
filterppw_shortcode_render_contentincludes\services\class-ppw-content-protection.php:53
filteret_builder_load_actionsincludes\services\class-ppw-content-protection.php:54
filterppw_pcp_valid_shortcodeincludes\services\class-ppw-content-protection.php:55
actionadmin_initincludes\services\class-ppw-content-protection.php:56
filterppw_shortcode_unlock_contentincludes\services\class-ppw-content-protection.php:57
filterppw_pcp_submenu_add_new_tabincludes\services\class-ppw-content-protection.php:58
actionadmin_noticesincludes\services\class-ppw-content-protection.php:64
actioncustomize_registerincludes\services\class-ppw-customizer-pcp.php:37
actionwp_headincludes\services\class-ppw-customizer-pcp.php:38
filterppw_pcp_attributesincludes\services\class-ppw-customizer-pcp.php:39
filterppw_validated_pcp_passwordincludes\services\class-ppw-customizer-pcp.php:40
actioncustomize_registerincludes\services\class-ppw-customizer-sitewide.php:15
actioncustomize_registerincludes\services\class-ppw-customizer-sitewide.php:20
actionppw_custom_style_form_entire_siteincludes\services\class-ppw-customizer-sitewide.php:21
actioncustomize_registerincludes\services\class-ppw-customizer-upsell.php:22
actioncustomize_controls_enqueue_scriptsincludes\services\class-ppw-customizer-upsell.php:23
actioncustomize_registerincludes\services\class-ppw-customizer.php:17
actioncustomize_controls_enqueue_scriptsincludes\services\class-ppw-customizer.php:18
actionwp_headincludes\services\class-ppw-customizer.php:19
filterpost_password_requiredincludes\services\class-ppw-post-tag.php:53
filterppw_is_valid_passwordincludes\services\class-ppw-post-tag.php:54
actionpost_tag_pre_add_formincludes\services\class-ppw-post-tag.php:55
filterppw_is_valid_cookieincludes\services\class-ppw-post-tag.php:58
filterppwp_post_password_requiredincludes\services\class-ppw-post-tag.php:59
filterppwp_ppf_action_urlincludes\services\class-ppw-post-tag.php:150
filterppwp_customize_ppfincludes\services\class-ppw-recaptcha.php:53
filterppwp_ppf_redirect_urlincludes\services\class-ppw-recaptcha.php:54
filterppwp_ppf_referrer_urlincludes\services\class-ppw-recaptcha.php:55
filterppwpea_recaptcha_v2_site_keyincludes\services\class-ppw-recaptcha.php:56
filterppwpea_recaptcha_v2_secretincludes\services\class-ppw-recaptcha.php:57
actionwp_footerincludes\services\class-ppw-recaptcha.php:58
actionppw_custom_footer_form_entire_siteincludes\services\class-ppw-recaptcha.php:59
actionppw_sitewide_above_submit_buttonincludes\services\class-ppw-recaptcha.php:60
actionppw_sitewide_custom_internal_cssincludes\services\class-ppw-recaptcha.php:61
filterppw_sitewide_valid_passwordincludes\services\class-ppw-recaptcha.php:62
filterppw_sitewide_error_messageincludes\services\class-ppw-recaptcha.php:528
filterppw_content_shortcode_sourceincludes\services\class-ppw-shortcode.php:93
actionthe_postincludes\services\class-ppw-shortcode.php:96
actionthe_postincludes\services\class-ppw-shortcode.php:97
actionwp_enqueue_scriptsincludes\services\class-ppw-shortcode.php:106
filterthe_contentincludes\services\class-ppw-shortcode.php:132
actionwp_footerincludes\services\class-ppw-shortcode.php:371
filterpost_password_requiredpublic\class-ppw-public.php:447
actionadmin_noticeswp-protect-password.php:117
actionadmin_noticeswp-protect-password.php:119
actionplugins_loadedwp-protect-password.php:125
actionadmin_menuwpfolio-analytics\includes\class-anylc-admin.php:31
actionadmin_menuwpfolio-analytics\includes\class-anylc-admin.php:34
actionadmin_initwpfolio-analytics\includes\class-anylc-admin.php:37
actionadmin_noticeswpfolio-analytics\includes\class-anylc-admin.php:40
actionadmin_footerwpfolio-analytics\includes\class-anylc-admin.php:43
actionadmin_initwpfolio-analytics\includes\class-anylc-admin.php:45
actionwp_loadedwpfolio-analytics\includes\class-anylc-admin.php:48
actionadmin_enqueue_scriptswpfolio-analytics\includes\class-anylc-script.php:20
actionactivated_pluginwpfolio-analytics\wpfolio-analytics.php:253
actionplugins_loadedwpfolio-analytics\wpfolio-analytics.php:267
Maintenance & Trust

PPWP – Password Protect Pages Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 12, 2025
PHP min version5.6
Downloads972K

Community Trust

Rating94/100
Number of ratings268
Active installs30K
Alternatives

PPWP – Password Protect Pages Alternatives

Passster – Password Protect Pages and Content

Passster – Password Protect Pages and Content

content-protector

A
95

Password Protect Pages, Posts & Content in WordPress

10K 10 CVEs
Smart Protect

Smart Protect

smart-protect

A
85

Smart Protect offers a solution to protect your entire site and choose which pages within your site will not be protected, all in a simple and easy wa &hellip;

10 No CVEs
Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content

password-protected

A
95

Protect your WordPress site, pages, posts, WooCommerce products, and categories with single or multiple passwords.

300K 5 CVEs
RIACO Content Protector

RIACO Content Protector

riaco-content-protector

A
100

Protect any portion of your WordPress content using a simple shortcode. Includes global password, AJAX unlock, and site-wide instant access.

0 No CVEs
Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Solid Security – Password, Two Factor Authentication, and Brute Force Protection

better-wp-security

A
93

Harden your site security with Login Security, Two-Factor Authentication (2FA), Vulnerability Scanner, Firewall, and more. Formerly iThemes Security.

700K 19 CVEs
Developer Profile

PPWP – Password Protect Pages Developer Profile

WP Folio Team

2 plugins · 40K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
93 days
View full developer profile
Detection Fingerprints

How We Detect PPWP – Password Protect Pages

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/password-protect-page/assets/css/admin.css/wp-content/plugins/password-protect-page/assets/js/admin.js/wp-content/plugins/password-protect-page/assets/css/style.css/wp-content/plugins/password-protect-page/assets/js/frontend.js/wp-content/plugins/password-protect-page/assets/css/frontend.css
Script Paths
/wp-content/plugins/password-protect-page/assets/js/admin.js/wp-content/plugins/password-protect-page/assets/js/frontend.js
Version Parameters
password-protect-page/assets/css/admin.css?ver=password-protect-page/assets/js/admin.js?ver=password-protect-page/assets/css/style.css?ver=password-protect-page/assets/js/frontend.js?ver=password-protect-page/assets/css/frontend.css?ver=

HTML / DOM Fingerprints

CSS Classes
ppw-protected-content
HTML Comments
PPWP - Password Protect WordPress Lite
JS Globals
PPW_Admin
FAQ

Frequently Asked Questions about PPWP – Password Protect Pages