Bypass the WordPress password form by using the_password_form

Last month, I found Kieran Lane’s blog post on bypassing the WordPress password-protected post form while researching how to allow a client to skip the password form via a URL parameter. Kieran’s solution required editing a WordPress core file, and at the time neither of us had found a less brittle way to solve the problem. Fortunately, it is possible to do just this by using WordPress’s the_password_form filter:

function bypass_password_form( $output ) {
  // Check for a hash of the password
  // exactly as in Kieran's example
  if ( $_GET['pwd'] == md5( $post->post_password ) ) {
    return apply_filters(
      get_page( get_the_ID() )->post_content
  // Or return the output as normal
  return $output;

They are not well documented, but there is almost always a way to do something in WordPress using filters—it can just take a few weeks of digging to find the right one! If you are managing your own site, modifying the core files may be fine, but I encourage any WordPress contractors or developers to research and share ways they have found to avoid customizing the core. Having this kind of functionality in a plugin or your theme’s functions.php will make for fewer headaches for clients when they need to upgrade ;)

2 thoughts on “Bypass the WordPress password form by using the_password_form”

  1. Interesting question. I haven’t had the need to adjust that, so I had not looked into that possibility—I can’t promise I’ll be able to investigate, but I’ll post here if I do if I learn anything.

  2. So do you have any idea of how you could use this function to modify the setcookie on the password protected page? The cookie is set in wp-pass.php for 10 days which is too long but I don’t want to edit a core file. I’ve tried using the_password_form function, but can’t seem to get it to work. Would love to hear if you have any ideas. Thanks!

Comments are closed.