
內容簡介
以下是 RIACO Content Protector 外掛的總結:
- RIACO Content Protector 外掛讓您可以使用簡碼來保護 WordPress 內容的任何部分。
- 與内建的文章密碼保護不同,此外掛僅保護您包裹的部分,而不是整個文章。
- 適用於保護付費內容區塊、指南、下載、連結或敏感部分等。
### 問題與答案:
1. RIACO Content Protector 外掛能夠保護 WordPress 內容的哪些部分?
- 可以保護任何部分,使用簡碼包裹起來。
2. 如果使用 RIACO Content Protector 外掛保護內容,當訪客輸入正確密碼後會發生什麼情況?
- 內容將立即解鎖,所有其他受保護的區域也會自動解鎖。
- 可選擇使用 cookie 保留解鎖的內容一段時間。
3. RIACO Content Protector 的安全性功能有哪些?
- 每次請求均使用 Nonces。
- 以安全的 HMAC 標記進行 cookie 認證。
- 清理簡碼屬性。
- 脫離的輸出。
- 不在 cookie 中存儲敏感資料。
外掛標籤
開發者團隊
原文外掛簡介
RIACO Content Protector allows you to protect any part of your WordPress content using a shortcode.
Unlike the built-in post password protection, this plugin protects only what you wrap, not the whole post.
Perfect for:
Protecting premium blocks of content
Protecting guides, downloads, links, or sensitive sections
Paywall-style snippets
Features
Protect only specific content inside posts/pages
Uses a minimal shortcode:
[riaco_content_protector] Hidden text here [/riaco_content_protector]
Global password stored in plain text, like WordPress page passwords.
AJAX-based form — no page reload
Unlocks all protected sections on the site after correct password
Optional cookie persistence (remember unlocked content for a configurable number of days)
Secure implementation using nonces, hashed tokens, and transients
Developer-friendly: filters, actions, and JS custom events at every key point in the unlock flow
Important:
The global password is stored in plain text, just like WordPress page passwords. It can be read by user with ‘manage_options’ ability.
If the global password or “Remember Unlocked” duration is changed in settings, all existing unlock cookies are invalidated. Users will need to re-enter the new password to access protected content.
How It Works
Wrap content you want to protect:
[riaco_content_protector]
This text will be hidden until the visitor enters the password.
[/riaco_content_protector]
Set the global password under:
Settings > Content Protector
Visitors will see a modern, styled form.
After entering the correct password:
The content unlocks immediately
All other protected areas unlock automatically
An optional cookie can keep everything unlocked for a chosen number of days
Security
Nonces on every request
Secure HMAC token for cookie authentication
Sanitized shortcode attributes
Escaped output
No sensitive data stored in cookies
Global password stored in plain text, like WordPress page passwords.
Cookie
The default cookie name is riaco_cp_unlocked_global. The scope suffix global can be changed via the riaco_cp_cookie_scope filter, which also changes the cookie name accordingly.
Style
You can style the content protector box.
It has this class: .riaco-cp--container, so you can add in your style.css:
.riaco-cp--container {
background: #f8f9fa;
padding: 20px;
border: 1px solid #ddd;
border-radius: 6px;
}
You can replace button classes using:
add_filter( 'riaco_cp_button_classes', function( $classes ) {
return 'button my-custom-button-class';
});
Or you can remove button classes:
add_filter( 'riaco_cp_button_classes', function( $classes ) {
return str_replace( 'wp-element-button', '', $classes );
});
For Developers
The plugin exposes actions and filters at every key point so you can extend or customise behaviour without modifying plugin files.
Filters
riaco_cp_default_options — modify the option defaults written on first activation.
add_filter( 'riaco_cp_default_options', function( $defaults ) {
$defaults['remember_days'] = 30;
return $defaults;
});
riaco_cp_instance_id — override the computed instance ID for a protected block.
add_filter( 'riaco_cp_instance_id', function( $id, $atts, $content ) {
return ! empty( $atts['id'] ) ? 'my_prefix_' . $atts['id'] : $id;
}, 10, 3 );
riaco_cp_transient_expiry — change how long protected content is cached (default: `DAY_IN_SECONDS`).
add_filter( 'riaco_cp_transient_expiry', function( $seconds, $instance_id ) {
return HOUR_IN_SECONDS * 6;
}, 10, 2 );
riaco_cp_lock_message — customise the message shown above the password field.
add_filter( 'riaco_cp_lock_message', function( $message, $instance_id ) {
return __( 'Members only. Enter your access code:', 'my-theme' );
}, 10, 2 );
riaco_cp_unlocked_content — wrap or replace the HTML around unlocked content.
add_filter( 'riaco_cp_unlocked_content', function( $html, $content, $instance_id ) {
return '
';
}, 10, 3 );
riaco_cp_cookie_args — modify the options passed to `setcookie()`.
add_filter( 'riaco_cp_cookie_args', function( $args, $cookie_name ) {
$args['samesite'] = 'Strict';
return $args;
}, 10, 2 );
riaco_cp_max_attempts — change the brute-force rate-limit threshold (default: 5).
add_filter( 'riaco_cp_max_attempts', function( $max ) {
return 10;
});
riaco_cp_rate_limit_window — change the rate-limit window in seconds (default: 15 minutes).
add_filter( 'riaco_cp_rate_limit_window', function( $seconds ) {
return 5 * MINUTE_IN_SECONDS;
});
riaco_cp_content_access — override the cookie check before protected content is rendered. Return `null` to use the default cookie check, `true` to force-grant access, or `false` to force the lock form.
add_filter( 'riaco_cp_content_access', function( $access, $instance_id, $atts ) {
// Grant access to logged-in users automatically.
if ( is_user_logged_in() ) {
return true;
}
return null; // Fall through to cookie check for guests.
}, 10, 3 );
riaco_cp_locked_html — replace or wrap the entire locked form HTML.
add_filter( 'riaco_cp_locked_html', function( $html, $instance_id, $atts ) {
return '
';
}, 10, 3 );
riaco_cp_validate_password — override password validation. Return `null` to use the default `hash_equals` check, `true` to grant access, or `false` to deny. When non-null, the global password is not consulted.
add_filter( 'riaco_cp_validate_password', function( $result, $user_pass, $instance_id ) {
// Accept a secondary password for a specific block.
if ( $instance_id === 'riaco_cp_vip' && $user_pass === 'vip-secret' ) {
return true;
}
return null; // Defer to global password check.
}, 10, 3 );
riaco_cp_rate_limit_bypass — bypass the brute-force counter for trusted IP addresses.
add_filter( 'riaco_cp_rate_limit_bypass', function( $bypass, $ip_address ) {
$trusted = array( '127.0.0.1', '192.168.1.100' );
return in_array( $ip_address, $trusted, true );
}, 10, 2 );
riaco_cp_cookie_scope — change the cookie scope suffix (default: `'global'`). The cookie name becomes `riaco_cp_unlocked_{scope}`. Use this to implement per-post or per-instance independent lock states.
add_filter( 'riaco_cp_cookie_scope', function( $scope, $instance_id ) {
// Use a per-post cookie so each post unlocks independently.
return 'post_' . get_the_ID();
}, 10, 2 );
riaco_cp_ajax_response — inject additional fields into the JSON success response sent after unlock.
add_filter( 'riaco_cp_ajax_response', function( $data, $instance_id ) {
$data['redirect'] = home_url( '/members/' );
return $data;
}, 10, 2 );
riaco_cp_js_data — add extra data to the `RIACO_CP_Ajax` JavaScript object.
add_filter( 'riaco_cp_js_data', function( $data ) {
$data['my_feature_enabled'] = true;
return $data;
});
Actions
riaco_cp_loaded — fires after the plugin initialises; receives the `Plugin` instance.
add_action( 'riaco_cp_loaded', function( $plugin ) {
// $plugin->settings, $plugin->shortcode, etc. are available here.
});
riaco_cp_form_fields — inject extra hidden inputs or markup inside the password form.
add_action( 'riaco_cp_form_fields', function( $instance_id ) {
echo '';
});
riaco_cp_password_correct — fires when a visitor enters the correct password.
add_action( 'riaco_cp_password_correct', function( $instance_id ) {
// Log unlock event, fire analytics, etc.
});
riaco_cp_password_incorrect — fires on a failed attempt; `$attempts` is the running total for this IP.
add_action( 'riaco_cp_password_incorrect', function( $instance_id, $attempts ) {
if ( $attempts >= 3 ) {
// Send alert, block IP in your firewall, etc.
}
}, 10, 2 );
riaco_cp_cookie_set — fires after the unlock cookie is written.
add_action( 'riaco_cp_cookie_set', function( $cookie_name, $expire ) {
// Record unlock timestamp, sync to a log, etc.
}, 10, 2 );
riaco_cp_settings_page_after — fires after the free plugin's settings form. Use it to render your own `
