Secure Draft Preview Links

Secure Draft Preview Links lets you generate a cryptographically secure, unguessable link for any draft post so that people without a WordPress account can read it before it goes live.

How it works

1. Open any draft post or page in the editor.
2. Check Enable public preview in the Publish panel (Classic Editor) or Status & Visibility panel (Block Editor).
3. Copy the generated link and share it with anyone.
4. The recipient can view the draft without logging in.
5. Uncheck the box or set the expiry to Expired to revoke access immediately.

Editor features

• Works with both the Classic Editor and the Block Editor (Gutenberg).
• Checkbox to enable / disable preview — shown even on auto-draft posts (disabled with a „save first“ hint).
• When a post is published the checkbox automatically disables and shows „Not available for published posts“.
• Preview URL displayed in a monospace code box — horizontally scrollable, click to select all.
• Copy button and Open preview button inline with the URL box.
• Generate new link button — invalidates the old link immediately, with a confirmation step before firing.
• Stop sharing confirmation bar — shown when unchecking the checkbox, requires explicit confirmation before removing the link.
• Expiry selector with four options:
  • 48 hours — default, shows exact time remaining (e.g. „Expires on: Apr 29 · 14:32 (4h 12m remaining)“).
  • Always available — link never expires.
  • Custom time — set Days, Hours, and Minutes; live „Expires on:“ display updates as you type; shows error if all fields are cleared without saving.
  • Expired (disable now) — immediately invalidates the link without deleting the token.
• Expiry settings auto-save on change with a „Expiry setting saved.“ confirmation message.
• Block Editor: snackbar notices for every action (enable, disable, copy, generate new link).
• Block Editor: Open public preview item added to the Preview dropdown (WordPress 6.7+).

Preview Links admin page

• Dedicated Preview Links menu item in the WordPress admin sidebar.
• Two tabs: Active and Expired, each showing a count badge.
• Paginated table — 20 items per page, with top and bottom pagination controls.
• Per-row columns: Post title, Post type, Exact expiry time, Preview URL, Share buttons, Actions.
• Copy URL and Open preview icon buttons inline with the URL.
• Share buttons: Facebook, X (Twitter), LinkedIn, Email — captions include the post title and expiry time (omitted for never-expires links).
• Regenerate button — generates a new token with a confirmation dialog; old link stops working immediately.
• Stop Sharing button — removes the token with a confirmation dialog.
• Edit Post link opens in a new tab.
• Confirmation dialogs use an inline modal (no browser confirm()) with clear messaging about consequences.
• Toast notifications slide up from the bottom-right on every action.

Security

• Tokens are 64-character cryptographically random hex strings generated with random_bytes().
• Token validation uses hash_equals() to prevent timing attacks.
• Expired links return a 410 Gone HTTP response.
• Invalid tokens return a 403 Forbidden HTTP response.
• Preview link is automatically removed when a post is published, made private, or trashed.
• All AJAX endpoints are protected with nonces and capability checks.
• No data is exposed to unauthenticated users beyond the post content itself.

Post list table

• Public Preview badge shown next to post titles that have an active preview link.
• Public Preview filter view in the post list table to quickly find all posts with active links.

Technical

• Works with all viewable public post types (posts, pages, and custom post types).
• Pagination links on multi-page posts are rewritten to include the preview token.
• Token meta is registered with the REST API for block editor compatibility.
• No external dependencies — pure PHP, jQuery (Classic Editor), and WordPress’s own React/wp-components (Block Editor).