Large organizations spend lots of money on access management tools such as Azure Active Directory (AAD) and have teams dedicated to managing it. But what if you don’t have the budget, bandwidth, or team to manage a complex system like AAD? Maybe you have a small library of content that you want to allow several of your partners to browse, but you don’t want to share it with the rest of the world. In that case, creating a portal using WordPress might be a viable solution to your problem.
In this post we’ll cover two methods to implement a portal with WordPress:
- With custom PHP code (which assumes some developer knowledge of how WordPress works), and
- With a plugin.
What is a Portal?
A portal is a WordPress implementation that can:
- Manage our content library.
- Restrict access to the content to our partners only.
- Manage our partner user accounts.
- Allow our partners to log in.
The good news is that WordPress provides 1, 3, and 4 out of the box. WordPress is geared towards publishing public content, so we will have to handle item 2, the content restriction, ourselves. However, as we will see shortly, WordPress has the concept of user roles and capabilities built-in, so when we say we have to “handle the content restriction ourselves”, it really is just a matter of tweaking a couple of WordPress defaults with a few code snippets; we won’t need to code an entire access system from scratch.
WordPress User Roles
Before we get to the portal itself, it is important to understand user management in WordPress. As the owner of your WordPress site, you have the Administrator role. This allows you to do anything and everything on your site, including adding, editing, or deleting content. When you add user accounts for your partners to access your content, you’ll want to make sure to set their roles correctly. The default role for new accounts is Subscriber. This role allows the user to read content, but not create, edit, or delete it. So the Subscriber role is a good selection for your portal users.
Portal Code Snippets
If you are planning to set up a new standalone portal, you can simply lock the entire site down so only logged-in users can access it. To accomplish this, add the following code snippet to functions.php or put the snippets in a plugin file:
// Snippet A
add_filter('auth_redirect_scheme', 'portal_auth_redirect_scheme');
function portal_auth_redirect_scheme() {
return 'logged_in';
}
// Snippet B: put your entire site behind a login
add_action('template_redirect', 'portal_template_redirect');
function portal_template_redirect() {
auth_redirect();
}
Snippet A adds a filter that primes the auth_redirect function to allow logged-in users to bypass being redirected to the login page. Snippet B checks for authentication on all pages. By default WordPress only checks for authentication on the admin (/wp-admin) pages. The template redirect is an action that fires before the page is rendered, so it is a good spot to check for authentication. The action fires for all pages. Snippet B adds an action to template_redirect that calls auth_redirect which will redirect the user to the login page if not logged in. Additionally, after the user logs in, they will be brought back to the page they were initially trying to look at before having to log in.
WordPress uses cookies to store each user’s authentication state. Logging in will set an authentication cookie. An understanding of WordPress authentication cookies is always helpful as a starting point.
If you already have a WordPress site, you may want to add a portal section to your current site, but leave the rest of your site public. Maybe you have a custom post type called “portal-resource” that you only want logged-in users to see. In that case, you can use the snippet above but in portal_template_redirect, only call auth_redirect if the type of the content being accessed is “portal-resource”:
// Snippet B modified to only put one post type behind a log in
function portal_template_redirect() {
$post_type = 'portal-resource';
// Only require log in under special conditions
if (is_singular($post_type) || is_post_type_archive($post_type)) {
auth_redirect();
}
}
With that, the rest of your site will remain open to the public, but the portal-resources can only be accessed by logged-in users.
Plugin Alternatives
If you are not comfortable manually adding code to your site, there are several plugins that provide content restriction features. For example, with Advanced Access Manager Plus you can set up the same content restrictions shown above. After you install the free base plugin and the paid “Plus” add-on, select “AAM” in the admin sidebar menu. Then on the right, select the anonymous user icon, and click the “Manage Visitors” button.
Then on the left select “URI Access”, and add two rules:
- URI: *, Rule: Redirect to login page (NOTE: The AAM Plus package is required for the wildcard * to work.)
- URI: /wp-login.php, Rule: Allow
Which should look like this:
Now logged-out visitors will be redirected to the login page. To restrict access to only portal resources, you could update the redirect URI to “/portal-resources/*”.
Conclusion
As you can see, it is fairly straightforward to create a portal using WordPress, whether you hand-code it yourself or use a plugin. Hopefully, this inspires you to try something new, and learn a little more about WordPress.
console.log( 'Code is Poetry' );