DEV Community

Cover image for Supracorona Login Gate: Simple Access Control for WordPress Sites
Dejan S. Višekruna
Dejan S. Višekruna

Posted on

Supracorona Login Gate: Simple Access Control for WordPress Sites

For internal websites, client portals, development environments, and WordPress projects that should not be publicly accessible.

Not every private WordPress website needs a complete membership system.

Sometimes there is no need to manage subscriptions, membership plans, payments, complex user roles, or dozens of content-access rules.

Sometimes the requirement is much simpler:

The website should only be accessible to logged-in users.

That is the reason I created Supracorona Login Gate, a lightweight WordPress plugin that places a simple access gate in front of a website.

When the plugin is enabled, logged-out visitors cannot browse protected site content. Instead, they are redirected to the standard WordPress login page or to a custom page selected by the site administrator.

The plugin is now published on WordPress.org:

Supracorona Login Gate


The problem the plugin solves

Many WordPress projects are not intended to be publicly accessible at every stage of their lifecycle.

They may be:

  • development or staging websites;
  • internal company or organization websites;
  • client portals;
  • private knowledge bases;
  • documentation websites intended only for team members;
  • projects being prepared for launch;
  • demo websites available only to selected users;
  • websites temporarily closed during migration or reconstruction.

WordPress provides privacy controls for individual posts, but that is not the same as restricting access to the entire website.

Installing a full membership plugin is possible, but it is often far more than the project requires. Such systems may introduce additional database tables, large settings panels, custom profiles, login forms, subscription management, and complex rule engines that will never be used.

Supracorona Login Gate has a much narrower responsibility.

It is not intended to become a complete membership platform. It is intended to answer one clear question:

Is the current visitor logged in?

When the answer is yes, the website behaves normally.

When the answer is no, the visitor is redirected before protected content is displayed.


A single access gate for the whole website

The central idea behind the plugin is site-wide protection.

Administrators can enable or disable the access gate from:

Settings → Supracorona Login Gate

Once protection is enabled, logged-out visitors can be redirected to one of two destinations:

  1. the standard WordPress login page;
  2. a custom page on the website.

The native WordPress login page is the simplest choice for internal websites and projects where users already have accounts.

A custom page is useful when the website needs to display additional information, contact details, or a more appropriate message, such as:

  • this website is available only to team members;
  • access to this project is restricted;
  • contact the administrator to request an account;
  • this project is still under development;
  • the public website will become available soon.

The plugin therefore does not force every website into the same workflow. The administrator can choose the behavior that makes sense for the project.


Returning users to the page they originally requested

One practical problem with login protection is losing the page that the user originally wanted to visit.

For example, a user receives a direct link to an internal documentation page:

https://cool-domain.tld/internal-documentation/project-architecture/
Enter fullscreen mode Exit fullscreen mode

Because the user is not logged in, WordPress redirects them to the login page.

Without preserving the original destination, the user may end up in the Dashboard after logging in and then have to search for the document again.

Supracorona Login Gate can preserve the requested path and return the user to the original page after a successful login.

It is a small feature, but it noticeably improves the experience of internal portals, documentation websites, and projects where direct links are frequently shared.


Direct login: Dashboard or front page

Not every login starts with an attempt to access a specific protected page.

Sometimes a user directly opens:

https://cool-domain.tld/wp-login.php
Enter fullscreen mode Exit fullscreen mode

For those cases, the plugin provides a choice of destinations after login:

  • the WordPress Dashboard;
  • the website front page.

The Dashboard is the logical choice for administrators, editors, and users who work with content.

The front page is often a better destination for internal portals, client websites, and projects where users interact with the frontend rather than the WordPress administration area.

This allows the same plugin to support different types of WordPress projects without requiring theme modifications or additional redirect code.


RSS feed protection

When protecting a WordPress website, it is easy to forget about RSS feeds.

A website may appear closed in the browser while its posts remain accessible through URLs such as:

https://cool-domain.tld/feed/
Enter fullscreen mode Exit fullscreen mode

or:

https://cool-domain.tld/comments/feed/
Enter fullscreen mode Exit fullscreen mode

Supracorona Login Gate therefore includes an optional RSS feed protection setting.

When feed protection is enabled, logged-out visitors cannot access feed content. When it is disabled, RSS feeds remain publicly available.

This is particularly important for:

  • internal blogs;
  • private documentation;
  • company knowledge bases;
  • websites containing material that should not be indexed or retrieved by feed readers.

Feed protection is optional because some projects may intentionally restrict the website frontend while keeping their RSS content public.


Independent of the active theme

The plugin does not require any changes to the WordPress theme.

There is no need to add code to functions.php, create custom template files, or integrate the plugin with a particular page builder.

Supracorona Login Gate operates during the WordPress request flow and redirects logged-out visitors before protected content is rendered.

This means it can continue working after:

  • changing the active theme;
  • modifying a child theme;
  • redesigning the website;
  • moving from a classic theme to a block theme;
  • changing the template structure.

The plugin’s admin stylesheet is loaded only on its own settings screen, so it does not add unnecessary CSS to the frontend or unrelated WordPress administration pages.


What the plugin deliberately does not do

Supracorona Login Gate is not intended to replace a complete membership system.

Version 1.0.0 does not attempt to manage:

  • paid memberships;
  • subscriptions;
  • access tiers;
  • role-based content visibility;
  • individual rules for every post;
  • user registration;
  • member profiles;
  • frontend account areas;
  • e-commerce content access.

This version also does not include a whitelist system for individual pages.

The current model is intentionally straightforward:

the website is available to logged-in users, while logged-out visitors are redirected.

That limitation is deliberate. It keeps the plugin small, understandable, and focused on one specific responsibility.


Plugin-level protection is not server-level protection

It is also important to understand the limits of this type of solution.

Supracorona Login Gate protects content that passes through WordPress and its standard request flow. It is designed to restrict access to WordPress pages, posts, archives, and feeds.

It is not a replacement for server-level protection such as:

  • HTTP Basic Authentication;
  • VPN access;
  • firewall rules;
  • complete staging-environment protection;
  • IP-based access restrictions.

Files that are directly accessible on the server, including certain media files, may require additional web server configuration.

For highly sensitive development environments, the safest approach is to combine WordPress-level access control with server-level authentication.

Supracorona Login Gate is intended for situations where a project needs a simple and practical way to restrict access to WordPress content without introducing an entire membership infrastructure.


Caching requires attention

Caching systems may store a publicly generated version of a page and serve it later without executing the normal WordPress request logic again.

For that reason, a caching plugin or server cache should be configured so that it:

  • does not cache protected content as public content;
  • correctly distinguishes logged-in and logged-out users;
  • excludes protected pages from caching when necessary;
  • clears existing cached pages after access protection is enabled.

The plugin can correctly redirect WordPress requests, but an incorrectly configured cache may bypass the expected request flow.

After enabling protection, it is a good idea to test the website:

  • in a private or incognito browser window;
  • as a logged-in user;
  • as a logged-out visitor;
  • after clearing browser and server caches;
  • through both the main RSS feed and the comments feed.

Why a small plugin still makes sense

The WordPress ecosystem often approaches small problems with large solutions.

Sometimes that is justified. Complex projects genuinely require complex systems.

But there is another category of projects where a focused plugin is a better fit:

  • it is easier to understand;
  • it is easier to test;
  • it provides fewer settings;
  • it introduces fewer dependencies;
  • it does not try to control unrelated parts of the website;
  • it is easier to remove when it is no longer needed.

Supracorona Login Gate follows that approach.

The plugin has one clearly defined responsibility: control access to a WordPress website based on the visitor’s login status.

It does not try to become a complete security platform, membership system, or user-management suite.

It is an access gate — and that is exactly what it is supposed to be.


How the plugin came to be

Supracorona Login Gate did not begin as a deliberately planned new product.

For years, I used an older plugin to restrict access to WordPress websites. It was no longer actively maintained, but it still solved a very specific problem that I regularly encountered on development, internal, and private projects.

With each new WordPress release, its behavior had to be reviewed, outdated code had to be adjusted, and additional changes were needed to keep it compatible with current WordPress standards. What started as maintaining an existing solution gradually turned into a much larger rewrite.

Over time, the code structure, prefixes, option names, administration interface, data validation and sanitization, redirect handling, feed protection, and overall plugin organization were changed. The settings were reorganized, and the behavior was adapted to better match the needs of modern WordPress projects.

Eventually, it no longer made sense to treat the result as another locally patched version of an abandoned plugin. It had become a separate codebase with its own name, maintenance process, testing, and development direction.

That is how Supracorona Login Gate came to be: from the practical need to preserve a simple site-wide access model while rebuilding it as a modern, maintainable, and independent WordPress plugin.


The first release

Version 1.0.0 includes:

  • site access restricted to logged-in users;
  • redirection to the native WordPress login page;
  • redirection to a custom page;
  • return to the originally requested page after login;
  • configurable destination for direct logins;
  • optional RSS feed protection;
  • a simple settings screen;
  • independence from the active WordPress theme.

Supracorona Login Gate is available from the official WordPress plugin directory:

https://wordpress.org/plugins/supracorona-login-gate/

This is the second public WordPress.org release under the Supracorona name, following Classic Visual Editor Options.

One focused problem at a time. One plugin at a time.


Top comments (0)