Password-Protected Pages vs. Secure Preview Links in WordPress

The Problem With Sharing Drafts in WordPress

If you build websites for clients, you've hit this moment: the site isn't live yet, but the client needs to see it. WordPress gives you a few built-in options, and all of them have friction.

You could give the client a WordPress account — now you're managing logins, resetting forgotten passwords, and worrying about what they might accidentally click in the admin area. You could use the built-in "Password Protected" post visibility setting — simple, but it comes with real limitations once you look closely. Or you could just send the raw preview URL and hope nobody finds it before it's ready — not a real option for anything sensitive.

Here's an honest comparison of the two most common approaches, and where a dedicated tool changes the calculus.

Option 1: WordPress's Native Password Protection

WordPress has had a "Password Protected" visibility option for posts and pages since early versions. It's built in, requires no plugin, and takes one click to enable.

What it actually does: anyone with the page URL sees a password prompt. Enter the password, see the content. That's the entire feature.

Where it falls short for client work:

• One password for everyone. If you're managing multiple client projects, you're either reusing the same password (bad practice) or keeping a spreadsheet of which password goes with which page.
• No expiration. The password stays valid indefinitely unless you remember to go back and remove protection. Long after a project ships, the password-protected page — and its password — often still works.
• No visit tracking. You have no way of knowing if your client actually opened the page, when, or how many times. If they say "I never got a chance to look," you have nothing to check that against.
• Generic, unbranded prompt. The password screen is WordPress's default theme-styled form. It works, but it doesn't look like something a paying client should be entering credentials into.
• No granular revocation. If the password leaks or a client relationship ends, you have to manually change it — which then breaks access for anyone else who still has the old password, even if you wanted them to keep it.

For a quick, low-stakes internal check, this is fine. For client-facing work where professionalism and access control matter, it falls short fast.

Option 2: A Dedicated Secure Preview Link

A purpose-built preview-link system — like Erdo Draft Links — approaches the problem differently. Instead of one shared password protecting a page, each share action generates a unique, signed URL tied to a specific draft and a specific time window.

What this gets you that native password protection doesn't:

• No login or account needed. The client clicks the link, sees the draft. No WordPress account, no password to remember or mistype.
• Per-link expiration. Set a link to expire in 48 hours, 7 days, or whatever window fits the review cycle. After that, the link simply stops working — no manual cleanup required.
• Independent revocation. Each link is its own access grant. Revoking one client's link has zero effect on any other client's active preview links.
• Clean, professional presentation. The client lands directly on a preview of the draft — no generic password form standing between them and the content you want them to review.
• Peace of mind after the project ends. Old links expire on their own, so you're not leaving a permanent password-protected backdoor into content you finished reviewing months ago.

When Native Password Protection Is Still Fine

To be fair, there are cases where the built-in feature is the right tool:

• A single internal team member needs occasional access and you control both ends of the password exchange.
• The content isn't sensitive and the page will go public soon anyway.
• You genuinely don't need expiration, tracking, or per-recipient access control.

If none of those apply — which is most agency and freelance client work — a dedicated preview link system closes the gaps that native password protection leaves open.

Setting Up Secure Preview Links

With Erdo Draft Links installed, sharing a draft works like this:

1. Open the draft post or page in the WordPress editor.
2. Click Generate Preview Link in the Draft Links panel.
3. Set an expiration window (or use the default).
4. Copy the generated link and send it to your client — by email, Slack, or whatever channel you already use.

The client opens the link and sees the draft rendered exactly as it will look live, with zero WordPress login involved on their end.

Wrapping Up

WordPress's native password protection isn't a security flaw, but it's the wrong tool for the actual problem most agencies and freelancers have: sharing a specific draft with a specific client, for a specific window of time, without account overhead on either side. If you're still copying the same password into every project folder, a dedicated preview link saves the cleanup work and looks more professional doing it.