FREE PLUGIN

Members Fortress for WordPress

Make your whole site private. Files included!
Put every page, feed, REST endpoint and uploaded file behind login. Built-in self-test proves nothing is leaking.

Most “force login” plugins only lock the front door

They gate the pages WordPress renders — and leave every file in your uploads folder open to anyone with the link. PDFs, contracts, images, member documents: still downloadable, logged in or not. KW Members Fortress closes that gap, then keeps checking it stays closed.

Or you bolt 3 plugins
together and still can’t be sure.

The usual workaround is a stack: a force-login plugin, a separate file
blocker, an .htaccess snippet from some forum — or a full membership
suite built for selling courses, charging you monthly for the slice you
actually use. More moving parts, more to break, more to maintain. And
none of them tell you whether your files are truly locked.

What It Does

/

Whole-site gate

Logged-out visitors get the login screen and nothing else — pages, posts, search, feeds, REST API, sitemaps and XML-RPC all sealed.

Protected file URLs

Direct hits to /uploads are served only to members. Apache and LiteSpeed are handled automatically; nginx gets a one-line snippet.

Leak self-test

About once an hour the plugin quietly requests one of its own file URLs without logging in. If anything comes back, you get a red dashboard alarm. Silent misconfiguration becomes a visible warning.

Branded login screen

Set a background, colours and logo from the settings page. No file editing, no code.

Footer & legal pages

Publish an Imprint or Privacy page that stays reachable while everything else stays locked.

Hardened by default

Block logged-out AJAX and user-enumeration, add no-cache headers on blocked responses, and a login throttle that recovers on its own.

Screenshot Members Fortress for WordPress

HOW IT WORKS

Install and activate

protection is on from the first second

Files get gated

the rule is written for you on Apache; nginx shows the snippet to paste

Make it yours

brand the login screen and add any legal pages

Stay sealed

the self-test watches the lock and warns you if it ever slips

You have Questions?
We have answers!

Files too — that’s the whole point. Requests to your uploads are routed through WordPress and served only to logged-in members.

Turn off full-page caching of the front end. Every visitor has to be checked individually, so a cached copy could bypass the gate.

Protection turns off, by design — and nothing is left behind. Deleting it removes its data only if you ask it to.

Yes. nginx config can’t be edited from PHP, so instead of writing the rule itself, the plugin hands you the exact one-line location snippet to paste into your server block. Add it, reload nginx, and the Lockdown tab plus the self-test confirm your files are sealed.

No. The self-test only ever pings your own site. No accounts, no third-party services.

We built it for a client after the existing “solutions” wore our patience thin — then figured the rest of you could use it too. So it’s free, to save everyone the same nerves. The core file protection stays free, always.

Lock your WP site in two minutes

Free, open-source (GPL), no account required