How to Protect URLs in WordPress

Paid Memberships Pro can protect almost everything in your WordPress site without any custom code. But sometimes, you may need to protect URLs in WordPress for pages or archives that aren’t editable through the admin—such as your Blog page, custom post type archives, taxonomy archives, or other plugin-generated pages.

This tutorial provides a simple, customizable code recipe to block access to these URLs and redirect visitors to your pricing page or membership levels page.

Common WordPress URLs You Might Want to Protect

WordPress generates a range of dynamic URLs that can’t always be edited or managed directly, making them tricky to protect and secure. Some examples include:

• Blog Page: The primary blog page (e.g., /blog/) showcasing all posts.
• Custom Post Type Archives: For instance, /courses/ for educational websites or /recipes/ for food bloggers.
• Taxonomy Archives: Categories (e.g., /category/news/) or tags (e.g., /tag/resources/).
• Ecommerce Pages: Shop pages (e.g., /shop/) or product category archives.
• Custom User Dashboards: Pages like /level-2-dashboard/ for logged-in members only.

These pages often serve as entry points to valuable content or features that are for your premium members only. If you cannot edit these dynamic URLs and set up content restrictions in PMPro, this is the tutorial for you.

Protect URL in WordPress: How The Code Recipe Works

This code recipe is very specific and very simple to edit:

1. Define specific URL strings to protect.
2. Redirect unauthorized visitors (e.g., non-members, visitors, logged-out users) to a specific page.
3. Secure an entire content hierarchy by targeting a parent URL (e.g., /courses/ also protects /courses/python/). Think of the code as a short-circuit to protecting the entire tree of subpages.

It’s important to note that search bots and web crawlers are also redirected when you use this code. This means that the content on the page will never be crawled or indexed in search.

Understanding the Code Recipe

The code below uses two primary functions:

• pmpro_hasMembershipLevel: This function checks if the current logged in user has a membership level.
• wp_redirect: This core WordPress function triggers before any on-page content is loaded. When wp_redirect is run, the browser is immediately taken to the new target URL and will not see anything on the original destination URL.

To make this code work for your site, edit the $not_allowed array with each URL string to protect.

The Code Recipe (PHP)

Adding the Recipe to Your Website

You can add this recipe to your site by creating a custom plugin or using the Code Snippets plugin available for free in the WordPress repository. Read this companion article for step-by-step directions on either method.

Changing the Redirect Priority 

This function runs on the WordPress template_redirect hook: the last possible hook that runs before the page is displayed.

There may be cases where you want to run this redirect earlier, depending on whether you want other WordPress core or plugin-enabled features to run or be blocked.

To adjust the function’s priority, change line 49 to another WordPress hook, such as the init hook which looks like this:

add_action( 'init', 'my_redirect_nonmembers', 1 );

Extending This Code Recipe

You can extend in loads of ways. Some examples include:

• Check for one or more specific level IDs on line 26.
• Build multiple loops of level ID requirements and restricted URLs for tiered access.
• Update the redirected URL based on level ID.

With just a few tweaks to this code recipe, you can protect almost any URL on your WordPress site. Whether you’re running an association membership site, blog, or ecommerce store, this solution keeps your content safe and exclusive to the right audience.

For more help customizing the function for your unique needs, please reach out to our technical support team.