WP-Safety

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content Security & Risk Analysis

wordpress.org/plugins/password-protected

Protect your WordPress site, pages, posts, WooCommerce products, and categories with single or multiple passwords.

300K active installs v2.7.12 PHP 5.6+ WP 4.6+ Updated Dec 18, 2025
maintenance-modepassword-protectpassword-protect-pagepassword-protectionrestrict-content
95
A · Safe
CVEs total5
Unpatched0
Last CVEOct 24, 2025
Plugin page Download
Safety Verdict

Is Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content Safe to Use in 2026?

Generally Safe

Score 95/100

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Oct 24, 2025Updated 3mo ago
Risk Assessment

The "password-protected" plugin v2.7.12 presents a mixed security posture. On the positive side, the static analysis reveals a small attack surface with no unprotected entry points. The code also demonstrates good practices with a reasonable percentage of SQL queries using prepared statements and a solid number of nonce and capability checks. However, concerns arise from the output escaping, where only 66% of outputs are properly escaped, leaving a potential for cross-site scripting vulnerabilities.

The taint analysis, while not revealing critical or high severity issues, did identify three flows with unsanitized paths, which warrants attention. The plugin's vulnerability history is a significant concern. With a total of five known CVEs, even though none are currently unpatched, the prevalence of medium and low severity issues related to authorization and cross-site scripting suggests a history of security weaknesses. The common vulnerability types indicate a recurring need for stricter access control and output sanitization.

In conclusion, while the current version shows some improvements in security implementation, the past vulnerability record and the findings from output escaping and taint analysis suggest that ongoing vigilance and further development are necessary to ensure a robust security posture. The plugin has areas of strength, particularly in its limited attack surface, but the historical context and specific code signals warrant careful consideration.

Key Concerns

  • Significant number of CVEs in history
  • 1/3 taint flows with unsanitized paths
  • 34% of outputs not properly escaped
  • Vulnerabilities common: Improper Authorization
  • Vulnerabilities common: Cross-site Scripting
  • Bundled library (Freemius) potentially outdated
Vulnerabilities
5

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
2 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4
Low
1

5 total CVEs

CVE-2025-11244low · 3.7Improper Authorization

Password Protected <= 2.7.11 - Unauthenticated Authorization Bypass via IP Address Spoofing

Oct 24, 2025 Patched in 2.7.12 (1d)
CVE-2025-3453medium · 5.3Incorrect Authorization

Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products <= 2.7.7 - Unauthenticated Sensitive Information Exposure

Apr 16, 2025 Patched in 2.7.8 (1d)
CVE-2024-0437medium · 4.3Improper Access Control

Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease <= 2.6.6 - Missing Authorization to Sensitive Information Exposure

May 14, 2024 Patched in 2.6.7 (77d)
CVE-2024-0656medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Password Protected <= 2.6.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Feb 19, 2024 Patched in 2.6.7 (162d)
CVE-2023-32580medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Password Protected <= 2.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 13, 2023 Patched in 2.6.3 (224d)
Code Analysis
Analyzed Mar 16, 2026

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
2 prepared
Unescaped Output
66
128 escaped
Nonce Checks
2
Capability Checks
3
File Operations
0
External Requests
2
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

40% prepared5 total queries

Output Escaping

66% escaped194 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths
pp_admin_menu_page_callback (admin\admin.php:398)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[password_protected_logout_link] password-protected.php:87
WordPress Hooks 89
actionplugins_loadedadmin\admin-bar.php:14
actionwp_headadmin\admin-bar.php:25
actionadmin_headadmin\admin-bar.php:26
actionwp_before_admin_bar_renderadmin\admin-bar.php:27
actionadmin_initadmin\admin-caching.php:32
actionadmin_initadmin\admin.php:14
actionadmin_initadmin\admin.php:15
actionadmin_initadmin\admin.php:16
actionadmin_menuadmin\admin.php:17
actionpassword_protected_subtab_password-protected-page-description_contentadmin\admin.php:18
actionpassword_protected_help_tabsadmin\admin.php:19
actionadmin_noticesadmin\admin.php:20
filterplugin_row_metaadmin\admin.php:21
filterplugin_action_links_password-protected/password-protected.phpadmin\admin.php:22
filterpre_update_option_password_protected_passwordadmin\admin.php:23
actionadmin_enqueue_scriptsadmin\admin.php:24
actioninitadmin\admin.php:25
actionpassword_protected_subtab_cache-issue_contentadmin\admin.php:27
actionadmin_footeradmin\admin.php:28
actionpassword_protected_subtab_exclude-from-protection_contentadmin\admin.php:279
actiontext_before_after_login_formadmin\admin.php:280
actionpassword_protected_subtab_attempt-limitation_contentadmin\admin.php:281
actionpassword_protected_subtab_bypass-url_contentadmin\admin.php:282
actionpassword_protected_tab_manage_passwords_contentadmin\admin.php:283
actionpassword_protected_subtab_post-type-protection_contentadmin\admin.php:284
actionpassword_protected_subtab_taxonomy-protection_contentadmin\admin.php:285
actionpassword_protected_subtab_partial-protection_contentadmin\admin.php:286
actionpassword_protected_subtab_whitelist-user-role_contentadmin\admin.php:287
actionpassword_protected_subtab_wp-admin-protection_contentadmin\admin.php:288
actionpassword_protected_subtab_activity_logs_contentadmin\admin.php:289
actionpassword_protected_subtab_logo-styles_contentadmin\admin.php:291
actionpassword_protected_subtab_label-styles_contentadmin\admin.php:292
actionpassword_protected_subtab_field-styles_contentadmin\admin.php:293
actionpassword_protected_subtab_button-styles_contentadmin\admin.php:294
actionpassword_protected_subtab_remember-me-styles_contentadmin\admin.php:295
actionpassword_protected_subtab_form-background_contentadmin\admin.php:296
actionpassword_protected_subtab_body-background_contentadmin\admin.php:297
actionpassword_protected_subtab_below-form_contentadmin\admin.php:298
actionpassword_protected_subtab_below-page_contentadmin\admin.php:299
actionpassword_protected_subtab_custom-css_contentadmin\admin.php:300
actionpassword_protected_subtab_password-request_contentadmin\admin.php:301
actionpassword_protected_subtab_requests_contentadmin\admin.php:302
actionpassword_protected_subtab_email-templates_contentadmin\admin.php:303
actionadmin_initadmin\class-pp-all-captcha-tabs.php:23
actionpassword_protected_subtab_all-captchas_contentadmin\class-pp-all-captcha-tabs.php:24
actionadmin_initadmin\class-recaptcha.php:37
actionpassword_protected_all_captchasadmin\class-recaptcha.php:39
actionpassword_protected_after_password_fieldadmin\class-recaptcha.php:41
filterpassword_protected_verify_recaptchaadmin\class-recaptcha.php:43
actionadmin_initincludes\activity-report-email\class-password-protected-activity-report-settings.php:15
actionadmin_initincludes\activity-report-email\class-password-protected-activity-report-settings.php:16
actionpassword_protected_subtab_activity-report_contentincludes\activity-report-email\class-password-protected-activity-report-settings.php:17
actionpassword_protected_success_login_attemptincludes\activity-report-email\class-password-protected-activity-report-settings.php:23
actionpassword_protected_failure_login_attemptincludes\activity-report-email\class-password-protected-activity-report-settings.php:24
actionpassword_protected_after_login_formincludes\activity-report-email\class-password-protected-activity-report-settings.php:25
actionpassword_protected_below_password_fieldincludes\activity-report-email\class-password-protected-activity-report-settings.php:26
filtercron_schedulesincludes\activity-report-email\class-password-protected-send-email-notification.php:11
actioninitincludes\activity-report-email\class-password-protected-send-email-notification.php:12
actionpassword_protected_email_notification_hookincludes\activity-report-email\class-password-protected-send-email-notification.php:13
actionplugins_loadedpassword-protected.php:58
filterpassword_protected_is_activepassword-protected.php:60
filterpassword_protected_is_activepassword-protected.php:61
actioninitpassword-protected.php:63
actioninitpassword-protected.php:64
actioninitpassword-protected.php:65
actionwppassword-protected.php:66
actiontemplate_redirectpassword-protected.php:67
filterpre_option_password_protected_statuspassword-protected.php:68
filterpre_option_password_protected_statuspassword-protected.php:69
filterpre_option_password_protected_statuspassword-protected.php:70
filterrest_authentication_errorspassword-protected.php:71
actioninitpassword-protected.php:72
actionpassword_protected_login_messagespassword-protected.php:73
actionlogin_enqueue_scriptspassword-protected.php:74
actionpassword_protected_above_password_fieldpassword-protected.php:76
actionpassword_protected_below_password_fieldpassword-protected.php:77
actionpassword_protected_login_headpassword-protected.php:84
actiondo_feedpassword-protected.php:170
actiondo_feed_rdfpassword-protected.php:171
actiondo_feed_rsspassword-protected.php:172
actiondo_feed_rss2password-protected.php:173
actiondo_feed_atompassword-protected.php:174
actionpassword_protected_login_headpassword-protected.php:844
actionpassword_protected_login_headpassword-protected.php:849
actionpassword_protected_login_headtheme\password-protected-login.php:59
filterwp_robotstheme\password-protected-login.php:64
actionpassword_protected_login_headtheme\password-protected-login.php:65
actionpassword_protected_login_headtheme\password-protected-login.php:67
actionpassword_protected_login_headtheme\password-protected-login.php:70

Scheduled Events 1

password_protected_email_notification_hook
Maintenance & Trust

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 18, 2025
PHP min version5.6
Downloads6.9M

Community Trust

Rating88/100
Number of ratings136
Active installs300K
Alternatives

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content Alternatives

PPWP – Password Protect Pages

PPWP – Password Protect Pages

password-protect-page

A
96

Password protect WordPress pages and posts by user roles or with multiple passwords; protect your entire website with a single password.

30K 4 CVEs
Passster – Password Protect Pages and Content

Passster – Password Protect Pages and Content

content-protector

A
95

Password Protect Pages, Posts & Content in WordPress

10K 10 CVEs
Password for WP

Password for WP

password-for-wp

A
91

Add a password for the entire WordPress website. Edit the background and message. Free and simple to use.

200 1 CVE
Password Protect – Temporary Login Without Password & Password Protect Entire Site

Password Protect – Temporary Login Without Password & Password Protect Entire Site

smart-password-protect

A
100

Password Protect entire site & create Temporary Login Without Password links. Simple & secure access for developers or maintenance.

70 No CVEs
Naibabiji Coming Soon & Maintenance Mode

Naibabiji Coming Soon & Maintenance Mode

naiba-coming-soon

A
100

Professional Coming Soon page plugin with password protection, responsive design, and full customization features.

10 No CVEs
Developer Profile

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content Developer Profile

Saad Iqbal

84 plugins · 1.4M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
287 days
View full developer profile
Detection Fingerprints

How We Detect Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/password-protected/css/password-protected.css/wp-content/plugins/password-protected/js/password-protected.js
Script Paths
/wp-content/plugins/password-protected/js/password-protected.js
Version Parameters
password-protected/css/password-protected.css?ver=password-protected/js/password-protected.js?ver=

HTML / DOM Fingerprints

CSS Classes
password-protected-login-formpassword-protected-login-form-wrap
Data Attributes
data-password-protected-fielddata-password-protected-login-form
JS Globals
PasswordProtected
REST Endpoints
/wp-json/password-protected/v1/login
Shortcode Output
[password_protected_logout_link]
FAQ

Frequently Asked Questions about Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content