I was just testing the password-protected posts functionality and when I submit the password it sends me to a 404 page. The password I typed in was correct, I made sure. The URL bar says: www.mydomain/wp-pass.php but shows a 404 page. Whether the password is correct or wrong, it should either show some message about it being wrong or the post that was protected. Not just a 404 page.

What could be causing this? Thanks in advance for any ideas.

I was just testing the password-protected posts functionality and when I submit the password it sends me to a 404 page. The password I typed in was correct, I made sure. The URL bar says: www.mydomain/wp-pass.php but shows a 404 page. Whether the password is correct or wrong, it should either show some message about it being wrong or the post that was protected. Not just a 404 page.

What could be causing this? Thanks in advance for any ideas.

• posts
• 404-error
• password

• Does your browser send a Referer header? – fuxia ♦ Commented Dec 6, 2012 at 11:20
• I'm afraid I don't know what you mean. Could you explain? – kath Commented Dec 6, 2012 at 11:39
• See wp-pass.php: wp_safe_redirect(wp_get_referer()); If your browser does not send a Referer you might get problems. Your browser offers a debugger where you can see the network communication. – fuxia ♦ Commented Dec 6, 2012 at 11:54
• So this is something specific to the browser that is being used to view the website and not Wordpress itself? I use Firefox 17, but I also tested it in Chrome 23 and I'm getting the same error. – kath Commented Dec 6, 2012 at 14:24
• Some proxies are stripping the referer too, no matter what browser you are using. I don’t know if that is the cause for your problem. It could be. – fuxia ♦ Commented Dec 6, 2012 at 14:31

4 Answers 4

Ok, figured it out myself! I had used add_filter to customize the password form in order to add css classes. Everything in add_filter was either old or simply wrong. I found it in a tutorial, but this has been a lesson to me. Never trust code found on the web unless it from the Codex or an absolute expert.

EDIT: Just found the same piece of code in the Codex as well *facepalm. It says "THIS NO LONGER WORKS" above it, but then why is it still in the codex? To anyone having this problem as well: in case you have used the code from here: Using Password Protection: Password Form Text you'll get problems in newer versions of Wordpress.

mfw when the right answer from Wombat has -3

Sorry for not commenting but I don't have any repo here yet and am really just wondering what's going on on wordpress.stackexchange

What exactly should Wombat add to this? We have a WP installation with some old code (meanwhile codex should be correct for the current WP version) from codex.wordpress in our Theme's functions.php file to customize the password form for example like this:

<?php
function my_password_form() {
    global $post;
    $label = 'pwbox-'.( empty( $post->ID ) ? rand() : $post->ID );
    $o = '<form action="' . esc_url( site_url( 'wp-pass.php', 'login_post' ) ) . '" method="post">
    ' . __( "To view this protected post, enter the password below:" ) . '
    <label for="' . $label . '">' . __( "Password:" ) . ' </label><input name="post_password" id="' . $label . '" type="password" size="20" maxlength="20" /><input type="submit" name="Submit" value="' . esc_attr__( "Submit" ) . '" />
    </form>
    ';
    return $o;
}
add_filter( 'the_password_form', 'my_password_form' );
?>

On some update WP changed the form but as we overwrite it with our filter in our functions.php we now get the error described by the OP after the update in question. And now we change wp-pass.php to /wp-login.php?action=postpass just like Wombat said (and like shown on the current codex page) like this:

<?php
function my_password_form() {
    global $post;
    $label = 'pwbox-'.( empty( $post->ID ) ? rand() : $post->ID );
    $o = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" method="post">
    ' . __( "To view this protected post, enter the password below:" ) . '
    <label for="' . $label . '">' . __( "Password:" ) . ' </label><input name="post_password" id="' . $label . '" type="password" size="20" maxlength="20" /><input type="submit" name="Submit" value="' . esc_attr__( "Submit" ) . '" />
    </form>
    ';
    return $o;
}
add_filter( 'the_password_form', 'my_password_form' );
?>

Problem solved. (For anyone who already implemented a custom filter which caused this problem this should be no problem with the information Wombat provided... so why the heck do you guys down rate him??)

Ran into the same antiquated code. No matter how you are revamping your password protected form, wp-pass.php no longer exists. Your form action should be as Wombat suggests:

<form action="<?php echo get_option('siteurl'); ?>/wp-login.php?action=postpass">

Use that form action to send your password post variable for validation.

Change the instance of wp-pass.php to /wp-login.php?action=postpass