WooCommerce Protected Categories lets you protect categories by password, by restricting them to specific roles or users.

The simplest way to use the plugin is to place products in a single protected category. However, you can also place products in multiple categories or create Parent → Child → Grandchild structures.

This article explains how these more complex scenarios apply, the logic used by the plugin, and which rules take precedence over others. You can use these rules to protect your categories in the correct way.

Product in multiple user or role protected categories

You can add each product to as many user or role protected categories as you like.

For example, you can create Category A and Category B, and give User C access to Category A only. If you put a product in both categories A and B, then User C will have access to this product - even though it is also in Category B, which User A doesn't have access to. User C will NOT have access to the rest of Category B.

Category with different types of protection (e.g. password and user protected)

A product category can have multiple types of protection applied to it. When you create or edit your category, you can use any combination of the following types of protection:

• Password protection
• User protection (restricted to specific users)
• Role protection (restricted to specific user roles)

If a category has multiple types of protection, it - and any of the products it contains - will be protected. However it can be 'unlocked' by any of the required means. For example, if it is password and user protected, it can be unlocked either by entering the correct password, or by logging in with the required user account(s).

Principle 1: if a category has multiple types of protection, it can be unlocked by any of the required methods for that category. 

Example 1

Your category has password protection and user role protection:

In this example, when you visit the category page (or one of its products) the plugin will perform the following checks:

Is the user logged in?

1. Yes, the user is logged in. Do they have the administrator role?
   1. Yes, the category is unlocked.
   2. No, the user has a different role. Has the correct password been entered?
      1. Yes, the category is unlocked.
      2. No, the password form is displayed.
2. No, the user is not logged in. Has the correct password been entered?
   1. Yes, the category is unlocked.
   2. No, the password form is displayed.

Example 2

Your category has user protection and role protection:

In this example, the plugin will perform the following checks:

Is the user logged in?

1. Yes, the user is logged in. Are they one of the users allowed to access this category?
   1. Yes, the category is unlocked.
   2. No, the user account is not permitted. Do they have the editor role?
      1. Yes, the category is unlocked.
      2. No, the login page or 404 page is displayed (depending on your plugin settings).
2. No, the user is not logged in. The login page or 404 page is displayed (depending on your plugin settings).

The important point to note is that when a category has multiple types of protection, it can be unlocked by any of the required methods. If it is unlocked in any way, then it's considered 'unlocked' and can be viewed by that user.

Order of priority for multiple types of protection

In Example 1 above, you may have noticed that if the user is logged out and they haven't entered the correct password, they see password form. In this instance, although the category is protected by both types of protection, the password protection takes priority and the password form is shown, not the WordPress login or 404 page.

Principle 2: password protection always takes priority when the category has both password AND user/role protection.

If the category has user and role protection (as in Example 2) then the priority makes no difference since the outcome is the same in both cases, i.e. the user sees the WordPress login screen, the 404 page, or custom page.

Products in multiple categories

Products can be placed in more than one category. If you place a product in more than one category, what is displayed to the user will vary depending on the type of protection for the individual categories (see above).

Product is in a Public and a Protected category

In this case, the product will be protected, but depending on the type of protection the user may see the password entry form, or the login/404 page. The product can be unlocked by any of the required means of protection. So if the protected category is password protected, it can only be unlocked by entering the correct password.

Principle 3: if a product is in two or more protected categories, it can be unlocked by any of the required methods for any category it is part of. 

Product in multiple password protected categories

Principle 4: a product can only be in more than one password protected category if they share the same password. 

If you put a product in multiple password protected categories, each with different passwords, then no one will be able to access it - regardless of which password they enter. This is because the password protection option in WooCommerce Protected Categories works in the same way as the password protection for pages and posts that is built into WordPress itself, which only supports one password at a time.

These are our suggested workarounds:

• Set the same password for each category.
• Instead of password protecting both categories, you can create a parent and child category structure where only the parent category is password protected (see below).
• Protect one or both categories with user or role protection, instead of password protection. That way, Principle 3 applies.
• If you really need your products to be in two password protected categories, each with different passwords, then you should use the free Duplicate Post plugin to clone your products and put one in each password protected category. That way, you're not putting the same product in multiple password protected categories. (If you want to manage inventory across each version of the product then we recommend the Group Stock Manager plugin. This lets you share stock levels across multiple products.)

Protecting parent or child categories

Categories can be created in a hierarchical structure. If your child category is Public, then it will automatically inherit the protection from its parent category.

In the screenshot above, you can see that Parent Category 1 is password protected. This means that Child Category 1, Child Category 2, Child Category 3 and Grandchild Category 1 are ALL password protected by the same password(s). Once the user has unlocked any of the categories within this hierarchy, they will be able to access all the other categories and products within that hierarchy.

Principle 5: child categories automatically inherit the protection of the parent category.

If a child and parent category are both protected, then the child category protection will take priority over the parent category. So using the example above, if Child Category 1 was role protected to administrators, then only administrators could access Child Category 1, and the password protection set on the parent category would no longer apply.

Principle 6: protected child categories will override the protection set on the parent or grandparent category. 

Related Articles

• Do Barn2 plugins meet accessibility guidelines?
• How do I report a security bug?
• Are categories protected when people access the store through the REST API?
• Translating WooCommerce Protected Categories into other languages
• Supported themes
• Where can I read reviews or leave my own review?