This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Members Only


Members Only is a WordPress plugin that allows you to make your blog only viewable to visitors that are logged in. If a visitor is not logged in, they will be redirected either to the WordPress login page or a page of your choice. Once logged in they can be redirected back to the page that they originally requested. You can also protect your feeds whilst allowing registered user access to them by using Feed Keys.



  1. Fixed a problem when there is no Feed Key with a call to an undefined function add_usermeta. Changed it to the correct update_usermeta.


  1. New Feature: Added redirection option for users who login directly to wp-login.php. You can now choose to redirect them to the Front Page or to the Dashboard as normal.
  2. New Feature: Added the ability to grant a one-time view to your blog from an Administrator’s IP address allowing XML RPC applications, such as WordPress for iPhone to be able to login.
  3. New Feature: Added the ability for Administrators to remove a User’s Feed Key as well as reset it.
  4. Fixed a problem with Feed Keys not working in all situations due to a typo.


  1. New Feature: Added the option of requiring Feed Keys even if the user is logged in.
  2. Changed the way Feed Key errors are display to the user. They no longer are displayed as a WordPress Error, Members Only now creates an RSS feed with the error in it.
  3. Fixed a bug where redirection to wp-login.php caused a redirect loop when WordPress was installed in different folder to the site URL.
  4. Fixed some admin page style issues with versions previous to 2.5


  1. New Feature: Added Feed Keys to give users unique URLs for your blog’s feed.
  2. Added the display of a user’s Feed Key in their profile, and you can choose whether they can reset it or not.
  3. Rewritten how feeds are protected by Members Only in order to use Feed Keys.
  4. Improved setup function for future development and features.
  5. Improved where how function behaves when Members Only is turned off rather than the plugin is deactivated.


  1. Fixed a bug where redirecting to a specific page was causing an endless redirection loop.
  2. Simplified redirection logic and made it simpler. Using template_redirect no longer requires the plugin to exclude wp-login.php, wp-register.php, xmlrpc.php or anywhere in wp-admin from being inaccessible, or to check if page is a 404.
  3. Added wp-feed.php to the list of files in the function that restricts access to feeds.
  4. Removed sprintf from the variable that gets the current URL.


  1. Added functionality making RSS feeds inaccessible. Calling the plugin at wp_head in previous versions made the feeds accessible without being logged in.
  2. Added the ability to toggle whether RSS feeds are accessible to the settings page.
  3. Changed where the plugin is call from wp_head to template_redirect which fixes an error where in some situations WordPress would give an error saying Warning: Cannot modify header information - headers already sent...
  4. Rewrote some functions in the plugin to make them tidier.


  1. Improved security on checking URLs. Replace all preg_match and replaced with strpos except checking for wp-admin URLs.
  2. Added checking for 404 pages. They now redirect to the login page too.
  3. Change where the plugin is called from init back to wp_head otherwise 404 pages can’t be redirected. If this causes problems, like the ‘Cannot modify header information’ error you can change this back to init but a 404 page will be able to be seen as normal.


  1. Actually fixed the critical flaw in the preg_match used to check the url highlighted by mrgreen. The fix in 0.4 didn’t work full as you could still add the full url of wp-login.php as a variable and bypass the check. The preg-match now uses parse_url to only check only the path of the url and nothing else. All users using Members Only should upgrade to version 0.4.1 as soon as possible to avoid this flaw being taken advantage of.


  1. Fixed a critical flaw in the preg_match used to check the url highlighted by mrgreen. All users using Members Only should upgrade to version 0.4 as soon as possible to avoid this simple flaw being taken advantage of.
  2. Excluded xmlrpc.php from being protected by Members Only.
  3. Tweaked Settings Page to suit WordPress 2.5


  1. Fixed an error where in some situations WordPress would give an error saying Warning: Cannot modify header information - headers already sent...
  2. Excluded wp-register.php and wp-admin/* from being protected by Members Only.
  3. Exposed the page the visitor original requested so it can be used as a global variable ($members_only_reqpage).


  1. Added the ability to specify the page to redirect to, and the ability to turn off the redirection to the requested page.


  1. Initial release.


The settings for Members Only are extremely simple. You have a check box that will toggle whether your blog can be access by visitors with or without logging in. The default setting allows visitors to visit your blog as normal.

If you choose to make your blog only accessible to visitors that are logged in, a visitor that isn’t logged in will be redirected to either the WordPress login page or a specific page of you choice. This choice can be selected via a drop down menu. You can enter the specific page to redirect to at the bottom of the options page, but if this field is left blank, visitors will be redirected to the login page instead

If you chose to redirect to the WordPress login page, you can also decide whether once the visitor has logged if they will be redirected back to the page that they originally requested. This can be toggled with a check box.

You can also choose how you protect your feeds on you blog. You can choose either requiring Feed Keys, require users to be logged in or have your feeds open to all. Feed Keys allow your users to access your feeds using feed readers or other things that don’t login to WordPress.

Feed Keys

Members Only can also protect you feeds in two ways. You can either require user’s to be logged in to the site to be able to access your feeds, require users to use Feed Keys to be able to access your feeds or have no protect on your feeds allowing anyone to access your feeds.

What are Feed Keys?

Feed Keys, are unique 32bit keys that are added to your blog’s URL in order to give every registered user a custom feed URL.
A Feed Key looks something like this: 206914af21373cc4792a057b067d2448

This is then appended to the feed url for your user in their User Profile, like the examples below, either without permalinks…

…or with permalinks

When a user visits a feed on your site, Members Only checks to see if there is a Feed Key in the query section of the feed URL and checks whether it is stored in the @wp_usermeta@ table of your WordPress database. If it finds the Feed Key in the database it allows access to the feed, otherwise it presents the user and error. An error will also be give if no Feed Key is found in the feed URL.

How and When are Feed Keys Generated?

A Feed Key is generated by creating a 32bit random alpha-numeric-case-insensitive string that is then hashed against the user’s username, insuring that no two users can ever have the same.

Feed Keys are generated when the user logs in to your blog. If they don’t have a Feed Key, one generated for them and stored in the wp_usermeta table in your database, otherwise they will use the one that is already stored in the database. An admin can also manually generate a Feed Key for a user by visiting there user profile and choosing the option.

If you allow it, users can also reset their Feed Keys from their user profiles or you can leave this to Admins.

One-Time View

Members Only now allows an Administrator to grant a one-time view from there own IP address. The IP is hashed with md5 and stored in the Members Only settings. Once the next visit from that IP address is recorded, the IP address is removed from the settings and your WordPress blog is protected as before.

This allows XML RPC applications, such as WordPress for iPhone and other third-party blog editors to login to the site for the first time. Subsequent visit from these editors don’t require this visit as they know where the xmlrpc.php file is, and this isn’t restricted by Members Only.

Known Issues

No known issues at this time.

If you find any bugs or want to request some additional features for future releases, please log them the projects tracker page


  • Options for Members Only
  • Displaying Feed Keys in a user's profile
  • Admin options for resetting a user's Feed Key


This section describes how to install the plugin and get it working.

  1. Download the archive and expand it.
  2. Upload the members-only folder into your wp-content/plugins/ directory
  3. In your WordPress Administration Area, go to the Plugins page and click Activate for Members Only

Once you have Members Only installed and activated you can change it’s settings in Settings > Members Only.


“Members Only” is open source software. The following people have contributed to this plugin.


Translate “Members Only” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.