Bypass the WordPress password form by using the_password_form

Last month, I found Kieran Lane’s blog post on bypassing the WordPress password-protected post form while researching how to allow a client to skip the password form via a URL parameter. Kieran’s solution required editing a WordPress core file, and at the time neither of us had found a less brittle way to solve the problem. Fortunately, it is possible to do just this by using WordPress’s the_password_form filter:

function bypass_password_form( $output ) {
  // Check for a hash of the password
  // exactly as in Kieran's example
  if ( $_GET['pwd'] == md5( $post->post_password ) ) {
    return apply_filters(
      get_page( get_the_ID() )->post_content
  // Or return the output as normal
  return $output;

They are not well documented, but there is almost always a way to do something in WordPress using filters—it can just take a few weeks of digging to find the right one! If you are managing your own site, modifying the core files may be fine, but I encourage any WordPress contractors or developers to research and share ways they have found to avoid customizing the core. Having this kind of functionality in a plugin or your theme’s functions.php will make for fewer headaches for clients when they need to upgrade 😉

2 thoughts on “Bypass the WordPress password form by using the_password_form

  1. Lindy says:

    So do you have any idea of how you could use this function to modify the setcookie on the password protected page? The cookie is set in wp-pass.php for 10 days which is too long but I don\’t want to edit a core file. I\’ve tried using the_password_form function, but can\’t seem to get it to work. Would love to hear if you have any ideas. Thanks!

  2. K. Adam White says:

    Interesting question. I haven\’t had the need to adjust that, so I had not looked into that possibility—I can\’t promise I\’ll be able to investigate, but I\’ll post here if I do if I learn anything.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.