Secure Role-Restricted Draft Previews

Why this plugin?

WordPress core preview links work well for editors, and Public Post Preview shares via anonymous nonces. This plugin adds a missing middle ground: draft previews that are secured by authentication and access control lists (ACLs) — role-based, user-specific, or per-email tokens — plus analytics and a one-click revoke-all.

Universal Compatibility

Works seamlessly with: * Full Site Editing (FSE) themes * Block themes (modern WordPress) * Classic PHP-based themes * All page builders including Elementor, WPBakery, Divi, etc. * WooCommerce product drafts * Any CSS framework including Tailwind CSS v4+

Key features

• Create expiring preview links (default 72h; configurable).
• Restrict by roles, specific users, or per-email tokens (no login for recipients).
• Require HTTPS for previews (on by default).
• Per-link analytics: allowed/denied events, hashed IP, user agent (privacy-friendly).
• Meta box in the editor (Post/Page by default; filterable) to generate, copy, and revoke.
• "Revoke All" for a post.
• Everything prefixed (srpl_), sanitized, and aligned with WordPress coding standards.

How it works

Each generated link has a unique token, TTL, and ACL:

• Role-based Access: Requires login. Only users with allowed roles can view the preview.
• User-based Access: Requires login. Only specific user IDs can access the preview.
• Email Token Access: No login required. Recipients receive unique URLs with email verification tokens.

When a link is visited, SRPL validates the token, expiry, and ACL, then renders the draft with your theme's header/footer. Events are logged (when enabled) to a small custom table (wp_srpl_events) with hashed IP for privacy.

Privacy

• IPs are hashed using hash_hmac(sha256, ip, wp_salt('auth')).
• You can disable analytics entirely under Settings → Secure Previews.

Developer Friendly

• Fully documented filters and actions
• Clean, object-oriented codebase
• PSR-4 autoloading
• Extensive inline documentation

Developer Documentation

Filters

• srpl_supported_post_types – Modify post types that support preview links
• srpl_default_ttl_hours – Change default expiration time (in hours)
• srpl_force_ssl – Control whether previews are forced to use HTTPS
• srpl_analytics_enabled – Enable or disable analytics collection

Functions

• LinkManager::create($post_id, $args) – Create a new preview link
• LinkManager::revoke($link_id) – Revoke a specific link
• LinkManager::revoke_all_for_post($post_id) – Revoke all links for a post
• LinkManager::find_by_token($token) – Find a link by its token

Database Structure

• Post Meta for Links: _srpl_token, _srpl_mode, _srpl_roles, _srpl_users, _srpl_emails, _srpl_expires, _srpl_revoked, _srpl_hits, _srpl_last_access
• Analytics Table: wp_srpl_events (link_id, post_id, user_id, outcome, ip_hash, ua, created_at)

License

This plugin is free software, licensed under the GPL v2 or later.