Skip to main content

Restrict Website Content in WordPress

Security fence

Why Restrict Website Content?

One of the most common requests I receive as a WordPress developer is how to restrict website content to members, be it paying members or free registered members.

This tutorial explores one of the more straightforward methods for creating a membership driven website with WordPress and provides an easy guide to organizations with a limited technical resource.

There’s a variety of reasons a website owner may want to restrict content on a website, ranging from the desire to set up a private membership website or restricted area, to private articles for paying customers only.

If you’re looking to sell physical products or digital downloads from your website, you should read my post about selling online!

How to restrict website content on a WordPress website

WordPress restrict website content exampleThe first, and the most obvious way to restrict website content in WordPress is to use the Password protect option found within the Post Publish screen within WordPress, but this option is rarely suitable for restricting access as it requires to be set on a per post basis, and has limited practical application.

Instead, let’s look at a solution that’ll meet each of the following criteria:

  • membership based access to posts, or unique content;
  • restrict website content to specific areas;
  • allows posts to display excerpts, and prompts for login;
  • includes free, registered, or paid access restrictions for all posts;
  • recurring payments, or one-time payment access;

To accomplish these goals, I recommend using Pippin’s Easy Digital Downloads as the core of a membership driven website for a number of reasons, not the least of which is the expandability of the WordPress plugin, as well as a great community that has swelled up to offer ongoing support to the plugin itself.

How to restrict website content with Easy Digital Downloads

Power and Influence with restrict website contentEarlier in the year, I came across a post by Pippin Williamson on developing membership websites with EDD and while it was far from my first membership driven website, I was amazed by how easy his setup was.

The article outlined a few basic steps to creating a membership site, and after following them I had created the Power and Influence website with little effort.

Essentially, to restrict website content with Easy Digital Downloads, I followed these steps:

  1. Downloaded the free WordPress plugin Easy Digital Downloads;
  2. Added the premium add-ons Recurring Payments, and Content Restriction;
  3. Add the Stripe extension for a payment gateway;
  4. Configured the setup as per his instructions, and launched a membership website;

I found the process fairly easy but not without a couple of minor hiccups. For example, the plugin requires you to manually set each article as a restricted article. While this may not be a big deal for smaller sites, I could imagine it adding complexity for larger properties.

restrict website content with Easy Digital Downloads in WordPressTo restrict website content to a specific post, you simply open the post within the WordPress administrator and add Content Restriction to an individual post. The options box allows you to select which digital download to associate the article with, or to add multiple downloads as subscription indicators. For example, you can select that people have access to the article as soon as they’ve downloaded any digital download or a specific download.

In the case of the Power and Influence website, I wanted to restrict website content for all current content, as well as any new content created, so I created a simple plugin add-on for the website which marked all current, and future posts as requiring an active subscription to a specific product. This allowed me to save countless hours of manually restricting posts.

The second small alteration I made to the default functionality of Easy Digital Downloads was to add a redirect to restricted pages, bringing clients to a sales page with both free downloads and paid membership options. Again, it was a relatively small change to the default behavior of EDD but customized for the needs of a specific publication.

Subscription-based restricted website content

Stripe LogoWith the relatively simple Content Restriction plugin in place, the website now worked how I hoped except that I needed to bill subscribers for access to the premium content, and to do this I opted for the Stripe payment gateway which allowed for onsite seamless billing, and the Easy Digital Downloads Recurring Payments module to ensure member accounts would be billed automatically as long as they maintained their subscriptions.

It would have been just as effective to use PayPal as a payment processing gateway, but for the relatively small fee of integrating the Stripe payment gateway into the website, it improved the user experience tremendously by ensuring the website visitor didn’t leave the site during the entire experience.

There are a few minor things a website needs to run Stipe as a payment gateway:

  • an SSL certificate (allows secure communication between the website and client);
  • a website host that will support SSL certificates;

Media Temple LogoTo host the new website, I choose Media Temple’s managed WordPress services. Media Temple has an excellent reputation for hosting and recently introduced a powerful managed WordPress solution with great reviews. On top of being able to comfortably handle both the routine traffic and traffic spikes associated with an online publication, Media Template offers SSL certificates for websites without resorting to virtual servers.

Once I created an SSL through Media Temple and assigned it to my domain name, I created an account and activated the Stripe module on my website, tested the account and began selling subscriptions to restrict website content almost immediately.

The Cost to Restrict Website Content

While the cost of building a website to restrict website content with Pippin’s Easy Digital Downloads was relatively low, it did involve the purchasing of a few specific items.

Easy Digital Downloads Plugin Free
Content Restriction (EDD Extension) $29
Recurring Payments (EDD Extension) $83
Stripe Payment Gateway (EDD Extension) $49
Media Temple Hosting (per year) $348
SSL Certificate (per year) $75
Total $584

Setting up the Easy Digital Downloads membership site to restrict website content, and interact with Stripe took about a day with additional time set aside for site-specific customization. Of course, the time involved for each individual website would vary based on the unique needs of the website.

If you would like to receive a custom quote for a membership-based restricted website content solution, I would love to have the opportunity to provide an estimate.


While I had to do a couple of small custom upgrades to the Easy Digital Downloads plugin to get it to restrict website content the way I wanted, Pippin’s article on how to set up and run a WordPress membership website was exceptional and had been up and running in no time. In the end, I purchased the developer edition of the Core Extensions Bundle, and the Stripe extension so that I could build an unlimited number of membership websites in the future and I’d highly recommend his solution for anybody looking to develop a membership website.

If you’ve used EDD or another membership plugin to restrict websites content on a WordPress website I’d love to hear your suggestions or feedback in the comments below.

What to do After Installing WordPress

wordpress hand logo background image blogging symb

WordPress website design and developmentWhat do you do after installing WordPress? Don’t get me wrong, I love WordPress so much that you’ll often find me making child themes with it, but we’ve also been together long enough that I can tell you it’s not perfect.

There are some things that I wish WordPress would do right out of the box, but luckily there are some great plugins out there to help make it better.

After installing WordPress, where do you start?

After you’ve finished installing WordPress, it’s time to get serious and start making it awesome. This tutorial is designed to help people new to WordPress get over the first few hurdles after installing WordPress onto a new hosting company. If you’re not familiar with how to install WordPress, I’d recommend getting started with a simpler tutorial on installing WordPress.

Securing WordPress

Step one, make sure WordPress is secure by taking a few steps to secure WordPress.

Read (and implement) the article on Hardening WordPress. This is an article from the official WordPress repository and will cover most of the steps you’ll need to keep your WordPress website updated, and protected from the majority of basic attacks. Remember, no site is completely secure, but this post will help you protect against most attacks.

Protect your WP-Config file

The most critical file (from a security perspective) on your website is named wp-config.php and is located in the root of your website folder. It’s likely the only file on your website that contains your database credentials (address, username, and password) so it’s vital that this file be as safe, or safer than the rest of your website. We can protect it by doing a couple of things:

  • first, let’s run the Protect WP-Config.php plugin (or implement a similar solution) that’ll stop people from typing to load the file from web browsers;
  • next, on many servers, we can move the wp-config.php file out of our public_html directory and into a more secure location.

Hide your current WordPress version

By default, WordPress includes a special tag in the HTML of your website document which identifies WordPress and it’s version number of web browsers, as well as malicious hackers. Obviously, it’s easier for hackers to attack your website if they know your version number, so instead let’s hide your current WordPress version.

Add better WordPress security

Privacy SettingsThere’s a variety of plugins out there that’ll help boost your WordPress security, personally, I use Better WordPress Security to change your admin account, test your user’s passwords, and monitor your traffic for potential hacking attempts. In addition, you should follow my tips for making WordPress more secure and How to Hack WordPress.

Protect your WordPress content

When you’re improving the security of your website, you should also consider adding protect from people who are trying to steal your content.

My old frame buster plugin is designed to stop other people’s websites from loading your content into website frames and profiting off of them. While far less common in 2014 than before, it was at one point a common practice for less reputable sites to load banner ads and display the content of another website below them.

Another common practice that has gone out of style is that of bandwidth theft or loading images from other domains. In years gone past websites would often load images from other domains to save on website hosting costs. The Hotlink Protection plugin was designed to cut down on the number of external sites loading images directly your website domain name.

Improving the WordPress Experience

Once you’ve set up WordPress and taken the steps above to protect it, ensuring visitors can leave feedback is the next important step!

Improving WordPress Comments

At the heart of WordPress is the WordPress commenting system, allowing visitors to leave comments and offer support to your new posts. Most themes come with a great comment system already built in, but the free WordPress plugin JetPack can help even further by adding a powerful new way for users to connect to your blog with, Twitter, Google+, or Facebook accounts when leaving comments.

Another free plugin by Automattic that’ll help your personal blog is Akismet, the best anti-spam filter available for a WordPress blog. Akismet works by checking post comments against a rich set of tools and searching for likely SPAM (unwanted commercial messages) comments. The plugin has a commercial version, as well as a free version for individuals.

Improving WordPress Feedback

Jetpack feedback formAnother powerful tool found in the Jetpack plugin, the contact form ties into Akismet to allow (nearly) SPAM free feedback directly from the web. The form can be included as a widget, within your theme, or inside a typical post.

Alternatively, if you’d like to remove comments from WordPress, it’s possible to remove the commenting system from the front end of WordPress altogether. This is particularly important if you’re running WordPress as a Content Management System (CMS) rather than a blogging platform.

Pingbacks and Trackbacks are a remnant of WordPress’s origins as a blogging platform, and often cause confusion for new bloggers, especially when deep linking for SEO purposes. Pingback appears in WordPress as a comment, but it’s an automated message sent from one post to another, to let you know when another blog has included a link to your story. If you spend a lot of time deep linking from post to post in your blog, you’ll definitely want to stop pinging your own blog posts with the help of a simple plugin.

Improving How the Web Sees WordPress

Setting up your Permalinks

After installing WordPress, don't forget your permalinks
After installing WordPress, don’t forget your Permalinks! They’re going to help improve your SEO power.

A Permalink is a fancy name for your website address, and more specifically the address of your posts and pages within WordPress. By default, the URL to your post will appear as where 34990 is the unique identifier of a post but if we want it to appear as something more visually appealing, such as we can do that by setting up our Permalinks with the admin at Settings > Permalink.

While the options are fairly self-explanatory, you’ll notice as you change your permalink structure the Custom Structure option will change to reflect your current selection. If you’d like to create a unique Permalink structure, you can follow the tips on the Using Permalinks guidelines.

Another Permalink plugins I love to use on my own sites, SEO slugs is a simple WordPress plugin that’ll remove common words such as a, an, the, and or from your WordPress slugs. To be honest I’m not sure that it helps with search engine optimization but it does shorten the length of your permalinks and focus their keyword value.

Setting your Site Title and Tagline

Setting Your Site NameBuried in the General settings panel (Settings > General) for WordPress is an option to set the Site Title and Tagline. These two items are vital to your website’s success because they appear throughout most themes as titles, tags, and search engine optimized focus tags.

Ensure You’re Connected to Google

Take the time to add your website to Search Console so that you can keep track of how Google is indexing your website, and what improvements you should be making to get links from other websites.

Relabel Your Uncategorized Category

UncategorizedWhen WordPress ships, the first category it creates is labeled Uncategorized, and it’ll automatically put your new posts into that category unless you specifically choose to place them in another category. One of my first steps when setting up a new WordPress blog is to simply change the name (and Permalink) of this category to something more generic such as News, Blog, or specific to the blog.

More Steps for WordPress

This post was created as an entry-level guide to setting up a WordPress website, and more importantly what to do once you’ve installed the basic software but there are plenty more steps a blogger should take, and likely deserve posts of their own. For example:

  • add a WordPress SEO plugin such as Yoast;
  • add a caching script to ensure your website is safe from sudden traffic spikes;
  • add a backup plugin if your security plugin isn’t already doing it for you;
  • setup Google Search Console Webmaster Tools will help you track your website issues and suggest how to fix them;
  • setup Google Analytics will help you see who’s visiting and provide you with website traffic data;
  • use Jetpack to auto post to Facebook, Twitter, LinkedIn and a variety of other social sites;

Did I miss anything? Let me know in the comments below.

How to set up a blog

One of the most common questions I get asked here on the site is a relatively simple one, how do you set up a blog?

First, let’s establish what a blog is and what it isn’t.

A blog is a running editorial, while it has a start date (the day you put it online) there is no end date. It’s not like sending a flyer to a printer, it’s more like a newsletter where you continuously update the content and newer posts (usually) appear at the top.

A blog gives you the ability to allow users to comment on your posts, but it is not a forum which allows general users to start conversations. Generally, a blog is written from the perspective of a group of authors on a specific subject and read/responded to by the general public.

Excellent examples of blog usage would be for couples getting married who want to share their details with family and friends, travelers who are posting updates as they find accessible computers or companies who are sharing information about their events. More formal uses of blogs can be found in daily newspapers, online magazines and even support websites which post commonly asked questions and receive comments from users.

Blogging removes the need for complex software solutions and rarely requires more than a basic knowledge of computer use. Unlike publishing a website, blogs almost always feature a rich content editor similar to Word or other popular desktop publish packages.

To operate a blog of your own, you’ll need to set up some fairly basic web technology.

  • You’ll need a domain name (this is your address on the web)
  • You’ll need a web host (this is where your files are stored on the web)
  • You’ll need to install a blogging package (this is what allows you to run a blog)

Luckily, to accomplish all these tasks there’s a wonderful, simple solution called BlueHost which offers a turnkey blogging solution for new businesses. Their introductory package offers free domain name registration as well as one-year hosting and free installation of WordPress, the world’s most popular blogging package for just $6.95 per month.

When you’re ready, get started with your blog today!

How to run a website with WordPress

WordPress is a blogging package, right? Well if you think that you’re absolutely right but only partially. WordPress, which is most likely the worlds most popular blogging package is also a great piece of software to power small business websites.

In all of these cases as well as many, many others WordPress was used to create and manage complex websites which skyrocketed to the top of Google’s Search Engine Results Pages because they used WordPress as a powerful content management tool, making the website much easier to manage and therefore a better tool for busy marketing staff.

How do you use WordPress to run a website?

Actually, that’s the best part of WordPress. Once you’ve signed up for a great hosting package such as Bluehost’s $6.95 per month solution, you can install WordPress by simply clicking their one-step installation process and voila! Your website is set up with the world’s most powerful blogging package instantly.

So then, how do you use WordPress to run a website? Once you’ve installed WordPress you’ll need to make changes to a few key files, called template files. These template files are what control how your website looks to visitors. Here’s what you need to know:

  • The header.php file is what appears on all pages at the top of your page
  • The footer.php file is what appears on all pages at the bottom of your website
  • functions.php is where you store common PHP code to call if from all pages, most often you can ignore this
  • index.php is the heart and soul of your website, technically you can remove all the other .php files and format just this page to make every page on your website look the same.
  • pages.php is used to format content edited in the Pages tab of the WordPress control panel
  • single.php is used to format content edited in the Posts tab, by separating these two you can format pages (such as About Us or Contact Us) to look different than content pages (such as a press release or CEO blog)
  • categories.php is used to format pages which list posts, archives.php is similar but for tags
  • search.php is used to format the results of a search

Once you’ve changed the look and feel of your website, you can use the built-in WordPress editor to allow different members of your team to post content to the website, add marketing or press releases and even adjust prices!

WordPress Security for Your Business

WordPress Security and Passwords are vital

As we recently saw with the @n attack, WordPress security isn’t just a big business concern. It’s everybody’s concern, and the only way to protect your WordPress website from potential attacks is to take the time and learn about website security.

With that in mind, let’s look at a few critical things you can do to protect yourself, and your website from attacks.

WordPress Security and Passwords

WordPress Security
WordPress security is one of the most important aspects of running a website, it’s key to keeping you and your customers safe.

I appreciate we’re all sick of hearing how important it is to have secure passwords but it really, really is. The main weakness a prospective hacker will exploit is to attempt to breach your security via a weak password. So, be sure that your password follows some simple rules:

  1. the longer the better, aim for at least 10 characters;
  2. include a variety of character types (UPPERCASE, lowercase, numeric, and special characters such as [email protected]#$);
  3. avoid common words, and meaningful phrases (ie birthdays);

If you want to check how strong your password really is, you can use the Microsoft Password Checker.

Keep in mind that you’ll have to remember your password too, so don’t make it too complex or you’ll forget! A great trick I like to use is to use a passphrase that will only make sense to me but is easy to remember.

WordPress Security and Passwords are vital
WordPress Security and Passwords are vital for you and your clients.

For years my Facebook password was forgetthepubletsgettacos. It’s a long phrase at 24 characters but is remarkably easy to type on a standard keyboard and easy for me to remember.

File Transfers

Every website will eventually need to transfer files, and the method you choose to connect to your website can be brutally exploited. A standard FTP transfer protocol (how you put files onto your website) transfers your awesome new password across dozens of Internet computers in plain text.

Yes, in plain text.

That means that no matter how complex your password is, every time you connect to your website, you’re exposing it to potential hackers. The solution is to connect to your website using an SFTP (Secure File Transfer Protocol) instead. Most good hosts including WP Engine and Bluehost offer SFTP connections for free.

Adding Security to your WordPress Administration

Once you’ve taken the basic steps of ensuring your password is both hard to guess and hard to steal, the second most important step of securing your WordPress website is to make sure your administration area is hard to break into.

There are a handful of plugins I highly recommend for protecting your WP Admin area:

screenshot-1Google Authenticator – a handy plugin that will make users include a unique (and ever-changing) series of numbers from Google.

The code rotates every minute or so and is visible only on a synced smartphone.

Better WP Security – the number one security plugin for WordPress is a powerhouse of security upgrades and checks for WordPress.

I really can’t praise this plugin enough, and couldn’t imagine running a website without it.

This is just a quick tip on how to make WordPress more secure if you’re looking for a comprehensive guide to helping you improve the security of your website visits the Hardening WordPress article on the official WordPress Codex.

Site-specific Plugin for WordPress

wordpress, lanyards, blog
Site-specific plugin for WordPress
A site-specific plugin is a plugin designed to only work on one WordPress website and isn’t generally released into the WordPress plugin ecosystem.

What is a site-specific plugin and how does it help WordPress? WP Beginner recently had a simple tutorial on how to disable the XML-RPC in WordPress, as @nacin points out, it’ll be enabled by default in WordPress 3.5. Security wary website owners would be wise to decide for themselves if this is a good idea, and the WP Beginner article gives you a quick tutorial on how to disable it.

What was interesting to me, however, was a question left in the comments by Keith:

Hi Guys
Sorry to be a bit thick but could you expand on “All you have to do is paste the following code in a site-specific plugin:”‚

Which plugins are site specific?

The answer, of course, is no plugins are site-specific unless you make them, which leads me to this article.

What is a site-specific plugin?

At the most basic level, a WordPress plugin is a way to extend WordPress, and a site-specific plugin is one that is designed to only be executed on a single website, or in some limited environments a group of sites for a specific task.

Most often this is to host PHP functions commonly stored in the functions.php file (or a site-specific plugin for WordPress) which do not directly relate to the theme. This way, site functionality can be maintained and separated from the theme file.

Why would I need a plugin specific to one website?

Anytime you want to have code unique to a website but not dependent on the theme, using a site-specific plugin is the best way to accomplish this goal.

For example, on I maintain about 40 unique shortcodes, many of which I need to run the site. If I changed themes, I would lose these shortcodes or be required to move them to the new theme. If on the other hand they’re stored in a plugin, I can change themes often and not risk losing unique code.

Can site-specific plugins ever be used on multiple sites?

Yes, while they’re commonly used to house the functionality of a single domain, the can also be used to share important functionality across multiple sites within a family of sites.

Websites which host multiple versions, for example, be that for mobile devices vs. desktops, geographical requirements (Europe or the Americas), or language needs (English, French). Site-specific plugins allow shortcodes, functions, Widgets, etc to be stored and shared without needing to replicate the code in individual functions.php files.

How do I create a site plugin?

Creating a site-specific plugin is the same as creating any other WordPress plugin but instead of uploading it to or distributing it, you’ll upload and activate it on your own WordPress blog.

Here’s a simple empty site-specific plugin for WordPress to get you started:

If you simply copy that code into a new PHP file and upload it to your wp-content/plugins/ folder, you’ll be able to activate the plugin in your WordPress Plugins page although at the moment it doesn’t do anything.

This version of the plugin adds the unique code from WP Beginners article to your website.

Should I a site-specific plugin on a multisite version of WordPress?

There’s absolutely no reason not to. Each site-specific plugin can be installed on a multisite version of WordPress and activated individually.

Alternatively, for website owners with multiple sites of a similar nature, you can use this method to create and share common functionality on a multisite version of WordPress. For example, I run a few websites off a single shared plugin which generates my headers, footers and allows access to shortcodes across all sites.

Let me know if you have any other great uses for site-specific WordPress plugins

WordPress Local Development Setup

Working offline with WordPress and a MAMP Environment

WordPress Local Development

In this tutorial, we’re going to set up a WordPress local development installation on your computer (laptop or desktop) to help you develop better WordPress themes and plugins, as well as test WordPress outside a live web environment.

What you’ll need to install WordPress on your local computer

In order to accomplish this tutorial, you’ll need to download a couple of pieces of free software from their source websites:

  1. WordPress
  2. XAMPP –

The first piece of software, of course, is WordPress, which is the software we’re trying to get running on your local computer. The second, XAMPP is a self-contained LAMP (Linux, Apache, MySQL, PHP) server with all the setup already completed and optimized.

Setting up XAMPP on your local computer

WordPress Local Development Setup with XAMPP
Setting up a WordPress Local Development environment with XAMPP is pretty straightforward.

The installer for XAMPP is a simple process, just follow the steps as you would with any regular installer and wait for the installation process to complete.

Once done, your computer will have a fully functional web server installed and running. From this point, you’ll be able to run any LAMP web application on your local laptop.

Why XAMPP? Before I continue, there are alternatives to XAMPP including a Macintosh-specific and Windows-specific version of the software. I’m not sure if the others are any better or worse, but I prefer XAMPP and since it comes in Mac, Windows, and Linux versions it’s the one I’ll recommend.

Configuring your WordPress Local Development Database

XAMPP SettingsThe next step is to set up a database for WordPress in XAMPP. To do this, you’ll need to open the XAMPP application and turn on the web servers. After turning on your web servers, you should be able to visit your local website environment at http://localhost/ and see the welcome page for the XAMMP server.

To use WordPress on your XAMMP server you’ll need to set up a database by following these simple steps:

  1. open http://localhost/ in a web browser;
  2. open the phpMyAdmin link to open your database manager;
  3. selected Databases from the navigation tabs;
  4. create a new database with an appropriate name (wordpress for example);

Create a database in phpMyAdmin

Now that you have a database for your WordPress local development environment to populate, it’s time to install the software properly.

Installing a WordPress Local Development Copy

WordPress in the XAMPP htdocs folderInstalling WordPress on your local server is now as simple as it would be on any website server except it’s local.

  1. download WordPress from the official source;
  2. decompress the archive;
  3. move the resulting folder to your local htdocs folder;
  4. set the folder permissions so everybody can read/write;
  5. open your new WordPress website at http://localhost/wordpress/ and enjoy;

Since I’ve done this a number of times over the years, there are a few things that I like to keep in mind to help me make the process smoother.

Set your file permissions

Take the time to set your file permissions on the WordPress folder. It may not seem a big deal but without the ability to write files, WordPress will struggle to create the required wp-config.php, .htaccess files, directories, and plugin files you’ll need later.

Local database settings

WordPress wp-config file for XAMPPWhen you’re setting up WordPress, you’ll need to remember your basic credentials:

  • Database Name – wordpress
  • Database User – root
  • Database Password –
  • Database Host – localhost

Remember, there is no password by default for connecting to your local database.

What’s Next?

After you’ve successfully installed your local copy of WordPress, take a few moments to set up your website properly with the right plugins and themes you’ll need to get started. Remember, if you’re using your local development environment to test a website, you can still follow the same internal linking and deep linking rules, they make a huge impact on your Search Engine Optimization.


If you’re still looking for help setting up your own local hosting environment for WordPress, here are some great resources that I can recommend:

Of course, installing WordPress locally created its own set of problems from how to migrate your database between a test environment and the live hosted site, to how to debug WordPress, develop themes, and connect to your server. I’ll do my best to find you some new tutorials to help you solve some of those problems shortly.

For bonus coolness, if you set up your IDE correctly you can make edits to your themes without having to upload anything to a web server. I use this technique regularly while sitting in airport terminals without a strong WiFi connection.

I’d love to be able to sync my live blog directly with my local offline copy every now and then so that I can always have a fresh copy on my MacBook. What would you do?