How to Password Protect Pages in Magento 2 (CMS, Products & Categories)

Bywiredgorilla


If you’re running a Magento 2 store with any kind of restricted content, wholesale pricing, trade catalogues, exclusive product ranges, pre-launch pages, or partner resources, you have probably run into the same problem: how do you share a URL with a specific group of people without making it visible to the general public?

Magento’s built-in customer groups and shared catalogues are powerful, but they require visitors to create an account and log in. That’s a high bar for a trade buyer who just wants to browse your pricing, a VIP customer checking a members-only range, or a partner downloading a reseller agreement.

There’s a simpler way. The Scommerce ContentProtect extension lets you put a clean, branded password gate in front of any CMS page, product page, or category, no customer groups required, no login wall, no complex configuration. In this post, we’ll show you exactly how it works and walk through the most common ways our customers are using it.

What Is ContentProtect and How Does It Work?

ContentProtect is a lightweight Magento 2 module that adds a password gate to any page you choose. The flow is straightforward:

  1. A visitor lands on a protected page.
  2. Magento checks whether their session has been unlocked.
  3. If not, they are redirected to the gate page, a clean, full-width form showing an information message and a password field.
  4. They enter the password and are sent directly to the page they originally requested, not the homepage.
  5. For the rest of that browser session, every protected page on your store opens freely, no repeated prompts.
Read moreGet the list of events from any version of Magento

The password itself is set once in Stores Configuration Scommerce Content Protect and stored encrypted using Magento’s native encryption. One password covers all protected pages across your store.

What Pages Can You Protect?

ContentProtect works across three types of pages in Magento 2, each controlled by a simple toggle in the admin.

CMS Pages

Open any CMS page in Content Pages. You’ll see a dedicated “Page Protection” fieldset with a Password Protected toggle. Set it to Yes and save, that’s it. The page is now gated.Scommerce_ContentProtect Blog Content Document Confidential ·

Product Pages

Open any product in Catalog Products. The same Page Protection fieldset appears with an identical toggle. The attribute is scoped to store view level, so you can protect a product on your trade store view while leaving it fully visible on your retail store view. Use this for: wholesale-only SKUs, trade pricing variants, pre-launch products, members-only items, and configurable products with trade-specific options.

Category Pages

Read moreMagento 2 - Easy way to find block class name in phtml

Open any category in Catalog Categories. Enable the Password Protected toggle and save. Every product within that category becomes inaccessible to unauthenticated visitors, they are redirected to the gate page before they can browse any product in the category.

Step-by-Step: Setting Up ContentProtect

Step 1 — Install the Module Copy the module files to app/code/Scommerce/ContentProtect/ and run deployment commands

Step 2 — Set Your Global Password Navigate to Stores Configuration Scommerce Content Protect. Set Enable Module to Yes, enter your Global Access Password, and save. The password is encrypted automatically, it never appears in plain text in your database or config files.

Step 3 — Protect Your First PageScommerce_ContentProtect Blog Content Document Confidential · Scroll to the Page Protection fieldset, toggle Password Protected to Yes, and save. Visit the page on the frontend , you’ll be redirected to the gate page immediately.

Step 4 — Test It Open a private browsing window (to ensure you have a fresh session) and visit the URL of the page you just protected. You’ll see the gate page with the information message and password form. Enter the correct password, you’ll be redirected directly to the protected page. Now visit any other protected page, it will open without prompting again.

Real-World Use Cases

Here are six of the most common ways our customers are using ContentProtect:

  • B2B wholesale portals: Protect a Trade Catalogue category. Share the URL and password with approved buyers at onboarding. Retail visitors see nothing; trade buyers unlock once and browse freely.
  • Pre-launch exclusive access: Protect a new collection category and product pages. Include the password in your newsletter email. Subscribers get 48-hour early access, disable protection with one click on launch day.
  • Gated partner documents: Protect CMS pages containing trade terms, reseller agreements, and technical data sheets. Partners receive the password when they’re onboarded.
  • Members-only ranges: Protect a members-only product category. Print the password on physical welcome cards. Members visit, unlock, and shop, no account creation required.
  • Agency pre-launch reviews: Protect key pages on a live store URL during client review. The client gets a password to browse the real site before sign-off. Disable protection when launch day arrives.
  • Post-event resources: Protect CMS pages containing event slides and recordings. Include the password in your post-event follow-up email. Rotate the password after 30 days to expire access naturally.

Technical Highlights for Developers

  • No core modifications: All interception is done via Magento’s native plugin system on the CMS, product, and category view controllers.
  • DDL-safe installation: The database column for CMS page protection uses a SchemaPatchInterface, no transaction errors, no manual SQL required.
  • EAV attributes for product and category: Both product and category protection attributes are proper EAV attributes, created via DataPatchInterface, scoped to store view level.
  • UI component injection: The admin toggle fields are added via cms_page_form.xml, product_form.xml, and category_form.xml, clean UI component merge, no layout XML hacks.
  • FPC compatible: The redirect fires at the controller level, before full-page cache serves a cached response. Protected pages don’t get incorrectly cached.
  • CSRF protected: Every gate form submission is validated against Magento’s built-in form key before the password is checked.
  • Open redirect safe: The return URL is a base64-encoded internal path, not a full URL, external redirect attacks are not possible.

Related Posts

Similar Posts