Call Us
Call Us

Password Protect Gravity Forms with One Click

  • Logan Greenhaw
Share: 
				
					// Secures Gravity Forms with per-form password protection.
// Crafted with ☕ and creativity by Trail Mix Creative

if ( ! defined( 'ABSPATH' ) ) {
    exit;
}

/* 0) Enqueue Dashicons & Inline CSS */
add_action( 'wp_enqueue_scripts', function() {
    wp_enqueue_style( 'dashicons' );
    wp_register_style( 'tmc-gfpp-inline-css', false );
    wp_enqueue_style( 'tmc-gfpp-inline-css' );
    $css = <<<CSS
/* Container */
.tmc-gfpp-password-prompt { max-width:400px; margin:2em auto; padding:1.5em; border:2px solid #ccc; border-radius:6px; background:#fff; }
/* Error Banner */
.tmc-gfpp-error-banner { display:flex; align-items:center; background:#fdecea; border:1px solid #f5c2c7; color:#842029; padding:.75em 1em; border-radius:4px; margin-bottom:1em; }
.tmc-gfpp-error-icon { margin-right:.5em; font-size:1.2em; }
/* Description */
.tmc-gfpp-description { margin-bottom:1em; }
/* Label */
.tmc-gfpp-field-label { font-weight:bold; display:block; margin-bottom:.5em; }
/* Input */
.tmc-gfpp-input { width:100%; padding:.6em; font-size:1rem; border:1px solid #ccc; border-radius:4px; box-sizing:border-box; transition:border-color .3s; }
/* Gap */
.tmc-gfpp-gap { height:1em; }
/* Button */
.tmc-gfpp-submit-button { padding:.6em 1.2em; font-size:1rem; border:none; border-radius:4px; background-color:#0073aa; color:#fff; cursor:pointer; transition:background .2s; }
.tmc-gfpp-submit-button:hover { background-color:#005177; }
CSS;
    wp_add_inline_style( 'tmc-gfpp-inline-css', $css );
});

/* 1) Admin UI – add “Require Password” checkbox & text field */
add_filter( 'gform_form_settings_fields', function( $sections, $form ) {
    if ( isset( $sections['restrictions']['fields'] ) ) {
        $f =& $sections['restrictions']['fields'];
        $f[] = [
            'type'    => 'checkbox',
            'label'   => esc_html__( 'Require a password to view this form', 'gravityforms' ),
            'name'    => 'requirePassword',
            'choices' => [[
                'label' => esc_html__( 'Require a password to view this form', 'gravityforms' ),
                'name'  => 'requirePassword',
            ]],
            'fields'  => [[
                'type'       => 'text',
                'label'      => esc_html__( 'Form Password', 'gravityforms' ),
                'name'       => 'formPassword',
                'class'      => 'medium',
                'dependency' => [
                    'live'   => true,
                    'fields' => [[ 'field' => 'requirePassword' ]],
                ],
            ]],
        ];
    }
    return $sections;
}, 10, 2 );

/* 1a) Admin JS – live-toggle the password field */
add_action( 'admin_enqueue_scripts', function( $hook ) {
    if ( $hook === 'toplevel_page_gf_edit_forms'
      && ! empty( $_GET['view'] ) && $_GET['view'] === 'settings'
    ) {
        wp_add_inline_script( 'jquery', "
            jQuery(function($){
              var cb  = $('input[name=\"requirePassword[]\"]'),
                  row = $('#formPassword_setting');
              function toggle(){ row.toggle( cb.is(':checked') ); }
              toggle();
              cb.on('change', toggle);
            });
        " );
    }
});

/* 2) On save – clear tokens if password changed */
add_filter( 'gform_pre_form_settings_save', function( $form ) {
    if ( ! empty( $_POST['requirePassword'] ) ) {
        $form_id  = (int) $form['id'];
        $old_form = GFAPI::get_form( $form_id );
        $old_pass = rgar( $old_form, 'formPassword' );
        $new_pass = rgpost( 'formPassword' );
        if ( $old_pass !== $new_pass ) {
            $opt_key = "tmc_gfpp_tokens_{$form_id}";
            $tokens  = get_option( $opt_key, [] );
            if ( is_array( $tokens ) ) {
                foreach ( $tokens as $t ) {
                    delete_transient( "tmc_gfpp_unlocked_{$form_id}_{$t}" );
                }
            }
            delete_option( $opt_key );
        }
    }
    return $form;
}, 10, 1 );

/* 3) Front-end – intercept form & show prompt if locked */
add_filter( 'gform_get_form_filter', function( $form_html, $form ) {
    if ( empty( $form['requirePassword'] ) || trim( rgar($form,'formPassword') ) === '' ) {
        return $form_html;
    }
    $form_id       = (int)$form['id'];
    $required      = $form['formPassword'];
    $cookie_key    = "tmc_gfpp_token_{$form_id}";
    $entered       = sanitize_text_field($_POST[$cookie_key] ?? '');
    $submit_id     = intval($_POST['tmc_gfpp_form_id'] ?? 0);
    $error_html    = '';
    $just_unlocked = false;

    /* Check existing token */
    $token    = $_COOKIE[$cookie_key] ?? '';
    $unlocked = $token && get_transient("tmc_gfpp_unlocked_{$form_id}_{$token}");

    /* Handle form submission */
    if ( $submit_id === $form_id && isset($_POST['tmc_gfpp_unlock_nonce']) ) {
        if ( wp_verify_nonce($_POST['tmc_gfpp_unlock_nonce'], "tmc_gfpp_unlock_{$form_id}") ) {
            if ( $entered === $required ) {
                $lifetime       = apply_filters('tmc_gfpp_token_lifetime', DAY_IN_SECONDS);
                $token          = wp_generate_password(20,false);
                set_transient("tmc_gfpp_unlocked_{$form_id}_{$token}", true, $lifetime);
                $opt_key        = "tmc_gfpp_tokens_{$form_id}";
                $tokens         = get_option($opt_key, []);
                if (!is_array($tokens)) $tokens = [];
                if (!in_array($token,$tokens,true)) {
                    $tokens[] = $token;
                    update_option($opt_key,$tokens);
                }
                setcookie($cookie_key,$token,[
                    'expires'=>time()+$lifetime,
                    'path'=>COOKIEPATH,'domain'=>COOKIE_DOMAIN,
                    'secure'=>is_ssl(),'httponly'=>true,'samesite'=>'Lax',
                ]);
                $unlocked      = true;
                $just_unlocked = true;
            } else {
                $msg = apply_filters('tmc_gfpp_error_message',
                    esc_html__('Incorrect password. Please try again.','gravityforms'),
                    $form_id
                );
                $error_html = "
                <div id='tmc_gfpp-error-{$form_id}' class='tmc-gfpp-error-banner' role='alert' aria-live='assertive'>
                  <span class='dashicons dashicons-warning tmc-gfpp-error-icon'></span>
                  <strong>{$msg}</strong>
                </div>";
            }
        }
    }

    /* Render prompt if still locked */
    if ( ! $unlocked ) {
        $out  = "<div id='tmc_gfpp-password-prompt-{$form_id}' class='tmc-gfpp-password-prompt'>";
        $out .= $error_html;
        $out .= "<p class='tmc-gfpp-description'>"
              . esc_html__('This form is password protected. Enter the password below to continue:','gravityforms')
              . "</p>";
        $out .= "<form method='post' class='tmc-gfpp-form'>";
        $out .= wp_nonce_field("tmc_gfpp_unlock_{$form_id}",'tmc_gfpp_unlock_nonce',true,false);
        $out .=   "<label for='".esc_attr($cookie_key)."' class='tmc-gfpp-field-label'>"
                . "<strong>".esc_html__('Password:','gravityforms')."</strong>"
                . "</label><br>";
        $out .=   "<input type='password' id='".esc_attr($cookie_key)."' "
                . "name='".esc_attr($cookie_key)."' class='tmc-gfpp-input' "
                . ($error_html?"aria-describedby='tmc_gfpp-error-{$form_id}' autofocus":'')
                . " required>";
        $out .=   "<div class='tmc-gfpp-gap'></div>";
        $out .=   "<button type='submit' class='tmc-gfpp-submit-button'>"
                . esc_html__('Submit','gravityforms')
                . "</button>";
        $out .=   "<input type='hidden' name='tmc_gfpp_form_id' value='{$form_id}' />";
        $out .= "</form>";
        if ( $submit_id === $form_id ) {
            $out .= "<script>
                document.getElementById('tmc_gfpp-password-prompt-{$form_id}')
                        .scrollIntoView({behavior:'smooth',block:'start'});
            </script>";
        }
        $out .= "</div>";
        return $out;
    }

    /* If unlocked, render real form & scroll if just unlocked */
    $out = $form_html;
    if ( $just_unlocked ) {
        $out .= "<script>
            document.getElementById('gform_wrapper_{$form_id}')
                    .scrollIntoView({behavior:'smooth',block:'start'});
        </script>";
    }
    return $out;
}, 10, 2 );

Add a Password to Any Gravity Form Without Conditional Logic

Imagine you’ve just wrapped up a sprint, your cup of coffee is running on fumes, and Slack suddenly pings:

“Hey–can you password-protect our 40-question survey?”

I got a message just like this from a client recently. They were needing me to password protect a massive application form on their website. That application wasn’t just any form–it was built with Gravity Forms, the Swiss Army knife of WordPress form builders. If you haven’t met it yet, Gravity Forms gives you drag-and-drop form creation, email notifications, payment integrations, and advanced conditional logic–all without wrestling with plugin bloat. Paired with the power of WordPress and rock-solid hosting from Pressable, it’s the backbone of almost all my client projects.

From Conditional Logic Fake Out to Genuine Password Protection

In the past, when asked to “password-protect” a Gravity Form, I reached for what I now call the toothpick trick:

  1. Add a single text field at the top of the Gravity Form form: “Enter password here.”
  2. For each of the fields or sections, set up a conditional rule: “Show this field if password = yourSecret.”
  3. Hit Preview, cross your fingers, and hope you didn’t make a typo.

It sort of works–but the moment you change the password, you have to hunt down and update dozens of hidden-field rules. Worse, users see fields flicker on as they type and it does not feel like actual password protection (because it isn’t). It felt less like a secure gate and more like a haunted house: one wrong keystroke on the backend when updating conditional logic rules, and half the form disappears.

One late night (around cup #4 of coffee) as I started implementing my toothpick trick, I realized: why not build a single gate–one password prompt that stands guard at the door–rather than slapping conditional logic everywhere? The result is a tiny, self-contained PHP snippet that transforms any Gravity Form into a fortress door.

How the Snippet Works and Performs

Rather than scattering logic across dozens of fields, the snippet:

  1. Adds a toggle under Form → Settings → Restrictions: just check “Require a password to view this form.”
  2. Displays a neat prompt instead of the form until the correct password is entered.
  3. Unlocks the form with hardened, server-side tokens—no password ever lives in the browser.
  4. Smoothly scrolls the prompt into view on error, and scrolls to the form on success.

All without a single conditional-logic rule in your form itself. My toothpick trick became obsolete with this snippet and I saved myself time!

Why You’ll Love It

  • Zero Form-Editing Gymnastics No more tedious setup for every question. One click in settings, one password, and you’re done.
  • Native Theme Styling The prompt box, input field, and submit button automatically inherit your active theme’s fonts, colors, and focus styles—no extra CSS.
  • Built-In UX Magic
    • On wrong password, the prompt scrolls into view (goodbye, missed gates).
    • On correct password, the real form scrolls up for an immediate start.
  • Transparent Security
    • Server-Side Tokens: We generate random tokens with wp_generate_password() and store them in WordPress transients (24 hr default).
    • CSRF Protection: Each prompt includes a wp_nonce_field(), verified on submit.
    • Hardened Cookies: Flags secure, httponly, and samesite=Lax lock down your tokens.
  • Instant Invalidation Change the password in settings and all old tokens vanish—no stale keys left behind.
  • Zero Asset Overhead All styling is inlined via wp_add_inline_style(). One snippet, no extra files or enqueued stylesheets.

Security Deep-Dive (For the Nerds)

When someone enters the correct password:

  1. A 20-character token is generated and stored in a transient on your server.
  2. A hardened cookie holds that token—your password itself never sees the browser.
  3. On each page load, we check get_transient() + the cookie before rendering the real form.
  4. If you ever change the password, a save-hook wipes all related transients immediately.

How to Get Started

  1. Copy the Code: Grab the snippet and paste it into your theme’s functions.php file, or add it via your favorite code snippets plugin.
  2. Configure your form: open Gravity Forms → Settings → Restrictions, check Require a password to view this form, and type your secret.
  3. Embed & Enjoy: place your form via shortcode or block—visitors first meet the steel gate, then step right into your secure form once unlocked.

That coffee-fueled epiphany turned dozens of toothpick rules into a single, elegant gate. If you want to lock down your Gravity Forms without the headache, give this snippet a spin—and while you’re at it, grab your copy of Gravity Forms, host your site on Pressable, and revel in the simplicity.

If you need any help implementing this on your site or have questions about customization, drop us a message—we’re here to help!