Background: My company uses AIO Login (formerly Change WP Admin Login) to change the login URL of our WordPress sites to add a little extra security.
Problem: Accessing password protected pages does not work when using the AIO Login plugin.
Solution: Add a couple of custom functions to your theme’s functions.php file.
Details: This solution was tested with WordPress version 6.6, 6.6.1 and 6.6.2 (most current as of this writing) and AIO Login version 2.0.1 (most current as of this writing).
What I noticed is that when the AIO Login plugin is active, the URL for the post password form didn’t change from “/wp-login.php?action=postpass“. For whatever reason, the plugin itself doesn’t have functionality built in to update the post password form and has never had it as far as I can tell by looking at previous versions of the plugin.
What I needed to do is change the form action URL to what my custom login URL is but also intercept the request when the post password is submitted and route it properly.
function custom_password_form() {
if (class_exists('AIO_Login\AIO_Login')) {
$slug = get_option('rwl_page');
global $post;
$label = 'pwbox-' . (empty($post->ID) ? rand() : $post->ID);
$output = '<form action="' . esc_url(site_url( $slug . '?action=postpass', 'login_post')) . '" class="post-password-form" method="post">
<p>' . __('This content is password protected. To view it please enter your password below:') . '</p>
<p><label for="' . $label . '">' . __('Password:') . ' <input name="post_password" id="' . $label . '" type="password" size="20" /></label> <input type="submit" name="Submit" value="' . esc_attr__('Enter') . '" /></p></form>
';
}
return $output;
}
add_filter( 'the_password_form', 'custom_password_form' );This function checks to see if you have the AIO_Login class available which is essentially checking to see if the plugin is active. You can also achieve this with the built-in WordPress is_plugin_active() function. If we then get the admin login URL that is set from within the AIO Login plugin by pulling the rwl_option field, we can keep our function working even if we change the login URL. Next, using the_password_form hook, we can apply our custom function that will update the form on the front end.
Next, we need to intercept the request when the front end user submits the post password. We can do this with the following function:
function handle_custom_postpass() {
if (class_exists('AIO_Login\AIO_Login')) {
$slug = get_option('rwl_page');
if ($_SERVER['REQUEST_URI'] == '/' . $slug . '?action=postpass' && $_SERVER['REQUEST_METHOD'] == 'POST') {
require_once ABSPATH . 'wp-login.php';
exit();
}
}
}
add_action('init', 'handle_custom_postpass');
WordPress will run this function during its initialization process, allowing us to intercept the request early. And again, we are checking to see if the AIO Login plugin is active in the same way as the previous function.
The beauty of this approach is that we’re not reinventing the wheel for password verification. We’re still using WordPress’s core functionality, but we’re controlling when and how it’s invoked. This ensures that all the security measures and hooks associated with password-protected content in WordPress are still in place, while allowing us to use our custom URL.
When a user submits the password for protected content, this function will catch that submission, pass it to WordPress’s standard handling, and then exit the script. WordPress will then handle the password verification, set the necessary cookies if the password is correct, and redirect the user appropriately.
This method maintains security while allowing for the custom URL structure we’ve implemented. It’s a good balance between customization and leveraging WordPress’s built-in security features.
In my specific case, I am using the Bootscore theme (version 5) which already has it’s own parent theme function to modify the post password form. To override the parent theme function in my Bootscore child theme, this is the function I created:
function bootscore_pw_form() {
if (class_exists('AIO_Login\AIO_Login')) {
$slug = get_option('rwl_page');
$output =
'<form action="' . get_option('siteurl') . '/' . $slug . '?action=postpass" method="post" class="input-group pw_form mb-4">' . "\n" .
'<input name="post_password" type="password" size="" class="form-control" placeholder="' . __('Password', 'bootscore') . '"/>' . "\n" .
'<input type="submit" class="btn btn-outline-primary input-group-text" name="Submit" value="' . __('Submit', 'bootscore') . '" />' . "\n" .
'</form>' . "\n";
return $output;
} else {
$output = '
<form action="' . get_option('siteurl') . '/wp-login.php?action=postpass" method="post" class="input-group pw_form mb-4">' . "\n"
. '<input name="post_password" type="password" size="" class="form-control" placeholder="' . __('Password', 'bootscore') . '"/>' . "\n"
. '<input type="submit" class="btn btn-outline-primary input-group-text" name="Submit" value="' . __('Submit', 'bootscore') . '" />' . "\n"
. '</form>' . "\n";
return $output;
}
}
add_filter( 'the_password_form', 'bootscore_pw_form' );I added a simple else { } and added the original output from the parent theme function to fallback gracefully if the plugin gets deactivated for whatever reason.
Remember, add the functions you need to your theme’s functions.php file. I believe most other plugins that change the WordPress login URL work in similar ways so this approach should be able to be adapted to other plugins as well.
Please leave comments, questions and critiques below!