This Knowledge Base Article covers configuring Restriction Options for s2Member. It is important to note that you can successfully protect content on your WordPress site without touching the Restriction Options panel. You can easily restrict access to Posts and Pages using the s2Member meta box on the Post and Page editing panels.

This article is part of the s2Member User's Guide, a series of articles that cover the fundamentals of using s2Member.

You can use the Restriction Options panel (WordPress Dashboard s2Member Restriction Options) to configure more complex restrictions for your site. These include:

  • Restricting access to multiple Posts and Pages
  • Restricting access to feeds, search results, and navigation menus
  • Protecting your site from Brute Force attacks and other IP-based restrictions
  • Using conditionals (like the [s2If] shortcode) to protect only parts of a Post or Page

The s2Member panels discussed in this article are:

  • Post Access Restrictions
  • Page Access Restrictions
  • Tag Access Restrictions
  • Category Access Restrictions
  • URI Restrictions (Typical w/BuddyPress)
  • Alternative View Protection (feeds, search results, etc..)
  • Simple Shortcode Conditionals (protect only parts of your content)
  • Specific Post/Page Access Restrictions
  • Brute Force IP/Login Restrictions
  • Unique IP Access Restrictions
  • Simultaneous Login Restrictions

Post Access Restrictions

Here you can specify Posts that are restricted to certain Membership Access Levels. s2Member also supports Custom Post Types here. If you have a theme or plugin installed that has enabled Custom Post Types you can put the IDs for those Posts here as well.

Restricting by Post IDs and Custom Post Types

Enter Post IDs in comma-delimited format into the text box below the level required for access. Example: 1,2,3,84,8,21. Or you can type: all to protect all Posts of any type. You can also restrict access to all Posts of a specific Post Type. For example, 1,2,3,all-newspapers protects several Post IDs and all Posts of type: newspaper.

post-restrictions

Tip: Can't find your Post IDs? Get the WP Show IDs plugin.

Protecting individual Posts only protects the Permalinks for those Posts. It is still possible for excerpts of protected content to be seen in search results generated by WordPress, feeds, and Archive views including your Home Page, inside a Category or Tag listing, or through other queries formulated by your theme.

This is the intended functionality. Excerpts are an excellent way to "tease" public visitors. In other words, public visitors may have access to excerpts introduced by your theme but any attempt to view the full Post (via the Permalink) results in an automatic redirect to your Membership Options Page.

Note: If you would like to protect many Posts at once (including Archive views), you can use Category Level Restrictions, Tag Level Restrictions, or use s2Member's options for Alternative View Protection which deals with search results and menus, as well as feeds.

Page Access Restrictions

Page Access Restrictions work exactly like Post Access Restrictions. Here you can specify Pages restricted to certain s2Member Levels.

What do I enter? Page IDs in comma-delimited format. Example: 1,2,3,34,8,21. Or, you can type all to protect all Pages.

page-restrictions

Tag Access Restrictions

Here you can specify Tags restricted to certain s2Member Levels. When you restrict access to a Tag Archive it also restricts access to any Post having that Tag even if the Post has other Tags.

Tip: Tags can be applied to any Post without affecting your Category structure at all. If you'd like to use Tags with Pages get the Tag Pages plugin.

What do I enter? Tags in comma-delimited format. Example: members, members only, free subscribers, premium. Alternatively, you can type all to protect all Tags.

Note: Tags are caSe sensitive. The Tag members only is not the same as Members Only.

tag-restrictions

Category Access Restrictions

Here you can specify Categories restricted to certain s2Member Levels. Category restrictions are a bit more complex than the previous types of restrictions because Categories are hierarchical.

When you restrict access to a Category, it also restricts access to any child Categories it may have. In other words, restricting a Category protects a Category Archive, all of its child Category Archives, and any Posts contained within the Category or its child Categories. Restricting access by Category is a very powerful form of protection, so please be careful. It is very easy to protect too much content by accident.

What do I enter? Category IDs in comma-delimited format. Example: 1,2,3,34,8,21. Or, you can type all to protect all Categories.

category-restrictions

Tip: Can't find your Category IDs? Get the WP Show IDs plugin.

URI Restrictions (Typical w/BuddyPress)

Here you can specify URIs (or word fragments found in URIs) restricted to certain s2Member Levels. Control over URIs is a little more complex than previous restrictions. This section is for advanced webmasters only.

A REQUEST_URI is the portion of a URL that comes immediately after the domain. This is a URL - http://www.example.com/path/to/file.php, and this is the URI - /path/to/file.php. In other words, a REQUEST_URI is a full path to a real (or virtual) directory or file on your domain. s2Member can match a URI in whole, or in part.

What do I enter? You can provide a list of URIs (one per line; i.e., line-delimited) that should be off-limits based on s2Member Level. You can also use word fragments instead of a full URI. If a word fragment anywhere in the URI matches, it is protected. Wildcards and other regex patterns are not supported here, so you do not need to escape special characters or anything.

Please note, depending on your caSe configuration option, your exclusion patterns might be caSe sensitive. If you choose to make these caSe sensitive, you must be specific. The word fragment some-path/ would not match a URI that contains some-Path/ if you enable case-sensitivity.

uri-restriction-case-sensitive

Replacement Codes: You can use these Replacement Codes in URI Restrictions:

  • %%current_user_nicename%% = The current User's NiceName in lowercase. The Nicename is a cleaner version of the Username for URLs.
  • %%current_user_id%% = The current User's ID.
  • %%current_user_level%% = The current User's s2Member Level.
  • %%current_user_role%% = The current User's WordPress Role.
  • %%current_user_ccaps%% = The current User's Custom Capabilities.
  • %%current_user_logins%% = The number of times the current User has logged in.

BuddyPress (and similar plugins): URI Restrictions work great with plugins like BuddyPress that add new areas to your site (where those new areas are not necessarily a Post/Page/Tag/Category). In other words, any time you'd like to protect a specific feature offered by BuddyPress (or other plugins), you'll need to nail down specific word fragments found in the URIs associated with those areas. For example, if you are using BuddyPress and want to protect BuddyPress Groups, you could add URI protection like this: /members/%%current_user_nicename%%/groups.

Alternative View Protection (feeds, search results, etc...)

s2Member protects Categories, Tags, Posts, Pages, Files, URIs & more. However, even with all of those security restrictions, it is still possible for protected content excerpts to be seen through XML feeds, in search results generated by WordPress, and, depending on your theme, possibly in other Archive views. These might include Posts by Author, Posts by Date, a list of featured items formulated by your theme or other plugins. We refer to all of these collectively, as Alternative Views.

You can tell s2Member to protect these Alternative Views by filtering WordPress database queries for you. s2Member can automatically hide protected content that is not available to the current Member. In other words, s2Member is capable of pre-filtering all database queries so that excerpts of protected content do not slip through.

Protect Alternative Views?

Select as many of the options in this list as you want or select Filter ALL WordPress queries; protecting all Alternative Views.

  • Searches (prevent protected content from appearing in search results generated by WordPress, a theme, or a plugin)
  • Feeds (XML/RSS/ATOM feeds)
  • Comment Feeds (hide comments associated with protected content from comment feeds)
  • Nav Menus (hide protected content in menus generated with WordPress Dashboard Appearance Menus)
  • Pages (hide protected content in widgets that list Pages)

alternative-view-protection

For Developers

Filters can be suppressed dynamically using this technique:

  • query_posts() - ("suppress_filters=true");
  • get_posts() - auto-suppresses filters

See this article in the s2Member Codex.

Simple Shortcode Conditionals (protect only parts of your content)

s2Member makes it very easy to protect entire Posts, Pages, Categories, Tags, URIs, etc. Protecting this content can be accomplished here in your WordPress Dashboard, using one (or all) of the many tools available in the s2Member settings panels. Or, from the Post/Page editing panels in WordPress. We consider this to be point-and-click functionality—very easy.

However, s2Member also makes it possible for you to protect "parts" of a Post or Page. You can be creative about what you display to certain Users/Members, based on your custom criteria. s2Member's Simple Shortcode Conditionals are the key to accomplishing this.

Arbitrary PHP Code via [s2If php=""]

By default, the [s2If] Shortcode can be used only in a specific set of Conditional Tags provided by WordPress and the s2Member plugin. For example: [s2If current_user_can(access_s2member_level1)]. Arbitrary PHP code is not allowed with this syntax. However, it is possible to use arbitrary PHP code if you enable it in the drop-down under Allow Arbitrary PHP Code via the [s2If php=""].

allow-arbitrary-php-code

This second syntax variation uses one PHP Shortcode Attribute to run a single conditional check. For example: [s2If php="is_user_logged_in() && current_user_can('access_s2member_ccap_music')"]. For developers, this has some obvious advantages. The code inside the PHP attribute is evaluated at runtime, so it is possible to accomplish more when necessary. You could also use a plugin like ezPHP to accomplish the same thing.

Specific Post/Page Access Restrictions

s2Member supports an additional layer of functionality that allows you to sell access to specific Posts and Pages that you've created in WordPress. s2Member's Specific Post/Page Access works independently of Membership Level Access. You can sell an unlimited number of Posts and Pages using Buy Now Buttons (or Pro-Forms; if you are running s2Member Pro) — your customers do not need a Membership Account on your site to receive access. If they are already a Member, that is fine, but they do not need to be.

In other words, customers do not need to log in to receive access to these specific Posts and Pages. s2Member immediately redirects the Customer to the correct Post or Page after checkout completes successfully. s2Member also sends an email to the Customer with a link (see: WordPress Dashboard s2Member PayPal Options Specific Post/Page Email). If you are using a different payment gateway, simply substitute that name for PayPal. Authentication is handled automatically through self-expiring links that last for 72 hours by default.

Specific Post/Page Access is like selling a product. Instead of shipping anything to the Customer you just give them access to a specific Post or Page on your site. A specific Post or Page that is protected by s2Member might contain a download link for your eBook, access to file & music downloads, access to additional support services, or any number of things. The possibilities with this are virtually endless if you can deliver your digital product on a WordPress Post or Page.

All you do is protect the specific Post or Page IDs you are selling on your site. Then, you can go to WordPress Dashboard s2Member PayPal Buttons Specific Post/Page Restrictions to generate Buy Now buttons that you can insert into your WordPress Editor. The Button Generator for s2Member will even let you package multiple Posts and Pages together into one transaction.

What do I enter? Post or Page IDs in comma-delimited format. Example: 1,2,3,34,8,21. Note: the word all does not work here. You must supply a list of Specific Post/Page IDs.

Avoid Conflicts! *Please be careful not to create a conflict with any of your other Access Restrictions. If you are going to sell Specific Post/Page Access, you should enter Post and Page IDs that are not already protected by other Access Restrictions, directly or indirectly.

In short, make sure that you have not protected any of your Specific Posts/Pages with s2Member Level Access Restrictions already. If you configure s2Member in such as a way, that a Post or Page requires both s2Member Level Access and Specific Post/Page Access, you create a conflict. Customers that purchase Specific Post/Page Access would be unable to access the Post or Page without also having a Membership.

Brute Force IP/Login Restrictions

As with any authentication system, it is possible for someone to try and guess Username and Password combinations by attempting a Brute Force Attack: making repeated login attempts with various Username and Password combinations until the user or software program guesses correctly.

s2Member thwarts this behavior by monitoring failed login attempts occurring within a short period. Whenever s2Member detects an IP address (i.e., a remote user) consistently failing to enter a valid Username and Password, a temporary ban is created. This ban prevents additional attempts from taking place for 30 minutes. This temporary ban only affects the offending IP address.

Note: an empty IP address (associated with someone browsing anonymously) is also considered a unique IP address. This way anonymizers cannot circumvent s2Member's security.

Maximum Failed Login Attempts:

Select the maximum number of failed login attempts from the drop-down box under Maximum Failed Login Attempts. When you change this value, you should also reset the brute force logs using the blue button at the top of this panel.

brute-force-ip-protection

Unique IP Access Restrictions

As with any Membership system, it is possible for one Member to sign up and then share their login credentials with someone else or post it online for the whole world to see. s2Member's IP Restrictions work for s2Member Level Access (i.e., account logins), Specific Post/Page Access, Registration Links, and other secure Entry Points. In all cases, the rules are simple. A single Username, Access Link, or Entry Point is only valid for a certain number of unique IP addresses.

Once a Member reaches the Simultaneous Login limit, s2Member assumes there has been a security breach. At that time, s2Member creates a temporary ban; preventing access to a Specific Post/Page, or to an account associated with a particular Username. This temporary ban only affects the offending Link (Entry Point) or Username related to the security breach. You can fine-tune this behavior using the options on this panel.

unique-ip-protection

Note: An empty IP address (associated with someone browsing anonymously) is also considered a unique IP address. This way anonymizers cannot circumvent s2Member's security.

Note: This feature can work with or without Simultaneous Login Monitoring (Simultaneous Login Monitoring is an s2Member Pro feature). You can choose to implement Unique IP Access Restrictions and Simultaneous Login Monitoring together, just one of them, or neither. It is a matter of preference.

Simultaneous Login Monitoring has the added benefit of not being dependent upon IP address tracking—making it more user-friendly and reliable. This process is particularly helpful in cases where you'd like to support users who might travel a lot, have multiple devices, or be on ISPs that change their IP address frequently.

Simultaneous Login Monitoring

s2Member's Simultaneous Login Monitoring (for Membership Access only) works with account logins (Usernames), to help you prevent a security issue. The rules are simple. A single Username can only have X number of simultaneous logins (as configured below). Once a Member reaches the Simultaneous Login limit, s2Member assumes there has been a security breach.

At that time, s2Member creates a temporary ban preventing the offending Username from being able to log in until somebody else logged into the account has logged-out.

Simultaneous Login Monitoring can be a tricky feature to configure because most people do not click a "Logout" link when they leave a website, making it hard to know when someone is still logged-in, and when they are not. s2Member monitors simultaneous logins by updating a timer whenever someone logs in and then again on each page view while they navigate the site.

If there is no activity within X amount of time, s2Member's Simultaneous Login Monitor considers that person inactive, and does not include them in security checks until they log in again or visit a new page on the site. You can configure the timeout period on this panel. The default value is 30 minutes.

simultaneous-login-protection

Note: This feature can work with or without Unique IP Restrictions. You can choose to implement Unique IP Access Restrictions and Simultaneous Login Monitoring together, just one of them, or neither. It is a matter of preference.

Simultaneous Login Monitoring has the added benefit of not being dependent upon IP address tracking — making it more user-friendly and reliable. This process is particularly helpful in cases where you'd like to support users who might travel a lot, have multiple devices, or be on ISPs that change their IP address frequently.