benlk
commented
11 months ago I asked VIP, and this is what their support agent said:
Yes, the default post password function included in WordPress works as expected on VIP, as it sets a
wp-postpass_{hash}cookie in the user's browser:https://codex.wordpress.org/Using_Password_Protection#Password_Protected_Posts
The
wp-postpass_*is an insecure password stored in plain text in the database. It is meant to be shared with other users, retrievable, and modifiable. Post passwords are not intended to be secure authenticators; for that WordPress has private posts that require full authentication. While the post password is not stored in plain text in the cookie, a hashed version is.The password-protected content workflow looks like this: WordPress serves the password form Password is submitted via POST to
/wp-login.php?action=postpassWordPress talks to the DB and confirms the password matches Thewp-login.phppage drops a cookie that starts withwp-postpass_, which has a salted version of the post ID and the password, eg.wp-postpass_****=****Thewp-login.phprequest returns a 302 header which redirects back to the password-protected page The cookie is what validates that they can access the content, and requests with a valid cookie get anx-cache: PASSheader for that password-protected page to prevent the content from being cached.
Is your enhancement related to a problem? Please describe.
https://github.com/10up/10up-experience/blob/14c8794c9c9b34764fa379c45d9112045db03ff4/includes/classes/PostPasswords/PostPasswords.php#L67
This notice is vague:
I'm filing this issue because I couldn't find those answers in this plugin's documentation, or in the WordPress documentation at https://wordpress.org/documentation/article/protect-posts-with-password/ , or in the documentation of the host (WP VIP) for a client project.
Designs
No response
Describe alternatives you've considered
Possible resolutions:
Code of Conduct