If you use WordPress’s built-in password protection for a post or page, and you also use your host’s server-side caching (often managed through cPanel, NGINX, or LSCache), you may have noticed a frustrating issue:
The page asks for a password the first time, but after you log in, everyone—even other visitors—can now see the unlocked content!
This happens because the server’s cache saves the page after you’ve logged in and serves that unlocked version to all subsequent visitors.
The Solution: Exclude the WordPress Password Cookie
The fix is surprisingly simple and takes less than a minute. You just need to tell your caching system to never serve a cached page if a specific WordPress cookie is present.
- Log in to your cPanel.
- Find your Cache Manager settings.
- Locate the section for Bypass Cookies or Exclude Cookies (hidden under Advanced Options at the bottom).
- Add the following cookie value:
wp-postpass_
(Be sure to include the underscore $\_$ at the end! This is what tells the cache to ignore any WordPress password cookie, regardless of the unique hash it uses.) - Save the settings.
- Purge/Clear All Cache in your cPanel.
That’s it! Your password-protected content will now work exactly as intended, ensuring only authenticated users with the correct cookie bypass the password prompt.