soderlind · soderlind · Jan 13, 2026 · Jan 13, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.3.2] - 2026-01-13
+
+### Added
+
+- Auto-redirect authenticated users to the redirect page when returning to the `[passwp_login]` shortcode
+- Setting to enable/disable auto-redirect (default: enabled)
+
 ## [1.3.1] - 2026-01-09
 
 ### Added

diff --git a/composer.json b/composer.json
@@ -3,7 +3,7 @@
 	"description": "Password protects all pages and posts except the front page",
 	"type": "wordpress-plugin",
 	"license": "GPL-2.0+",
-	"version": "1.3.0",
+	"version": "1.3.2",
 	"require": {
 		"php": ">=8.3",
 		"yahnis-elsts/plugin-update-checker": "^5.6"

diff --git a/includes/AdminSettings.php b/includes/AdminSettings.php
@@ -160,6 +160,15 @@ public function register_settings(): void {
 			page: self::PAGE_SLUG,
 			section: 'passwp_posts_main_section'
 		);
+
+		// Auto-redirect field.
+		add_settings_field(
+			id: 'passwp_posts_auto_redirect',
+			title: __( 'Auto-redirect', 'passwp-posts' ),
+			callback: $this->render_auto_redirect_field( ... ),
+			page: self::PAGE_SLUG,
+			section: 'passwp_posts_main_section'
+		);
 	}
 
 	/**
@@ -175,6 +184,7 @@ private function get_default_settings(): array {
 			'excluded_posts'     => [],
 			'protected_posts'    => [],
 			'enabled'            => false,
+			'auto_redirect'      => true,
 			'customize'          => self::CUSTOMIZE_DEFAULTS,
 		];
 	}
@@ -792,6 +802,23 @@ public function render_enabled_field(): void {
 		<?php
 	}
 
+	/**
+	 * Render auto-redirect checkbox field.
+	 */
+	public function render_auto_redirect_field(): void {
+		$settings      = get_option( self::OPTION_NAME, [] );
+		$auto_redirect = (bool) ( $settings[ 'auto_redirect' ] ?? true );
+		?>
+		<label>
+			<input type="checkbox" name="<?php echo esc_attr( self::OPTION_NAME ); ?>[auto_redirect]" value="1" <?php checked( $auto_redirect ); ?> />
+			<?php esc_html_e( 'Auto-redirect authenticated users', 'passwp-posts' ); ?>
+		</label>
+		<p class="description">
+			<?php esc_html_e( 'When enabled, users who have already authenticated will be automatically redirected to the redirect page when returning to the login shortcode.', 'passwp-posts' ); ?>
+		</p>
+		<?php
+	}
+
 	/**
 	 * Render password field.
 	 */
@@ -945,6 +972,9 @@ public function sanitize_settings( ?array $input ): array {
 		// Sanitize enabled.
 		$sanitized[ 'enabled' ] = ( $input[ 'enabled' ] ?? '' ) === '1';
 
+		// Sanitize auto-redirect (default to true if not set).
+		$sanitized[ 'auto_redirect' ] = ! isset( $input[ 'auto_redirect' ] ) || ( $input[ 'auto_redirect' ] ?? '' ) === '1';
+
 		// Sanitize and hash password.
 		if ( ! empty( $input[ 'password' ] ) ) {
 			$sanitized[ 'password_hash' ] = wp_hash_password( $input[ 'password' ] );
@@ -990,6 +1020,7 @@ public function sanitize_settings( ?array $input ): array {
 			// Preserve existing general settings when saving from customize tab.
 			if ( isset( $input[ '_customize_tab' ] ) ) {
 				$sanitized[ 'enabled' ]            = $existing[ 'enabled' ] ?? false;
+				$sanitized[ 'auto_redirect' ]      = $existing[ 'auto_redirect' ] ?? true;
 				$sanitized[ 'password_hash' ]      = $existing[ 'password_hash' ] ?? '';
 				$sanitized[ 'cookie_expiry_days' ] = $existing[ 'cookie_expiry_days' ] ?? 30;
 				$sanitized[ 'protection_mode' ]    = $existing[ 'protection_mode' ] ?? 'all';

diff --git a/includes/Shortcodes.php b/includes/Shortcodes.php
@@ -59,6 +59,15 @@ public function render_passwp_login( array|string $atts = [] ): string {
 
 		$password_hash = (string) $settings[ 'password_hash' ];
 		if ( $this->cookie_handler->is_valid_cookie( $password_hash ) ) {
+			// User already authenticated - redirect to the redirect page if auto-redirect is enabled.
+			$auto_redirect = (bool) ( $settings[ 'auto_redirect' ] ?? true );
+			if ( $auto_redirect ) {
+				$redirect_url = $this->get_redirect_url( $atts );
+				if ( $redirect_url !== '' ) {
+					wp_safe_redirect( $redirect_url );
+					exit;
+				}
+			}
 			return '';
 		}
 
@@ -134,4 +143,30 @@ public function render_passwp_login( array|string $atts = [] ): string {
 
 		return $html;
 	}
+
+	/**
+	 * Get the redirect URL from shortcode attributes.
+	 *
+	 * @param array<string, mixed>|string $atts Shortcode attributes.
+	 */
+	private function get_redirect_url( array|string $atts = [] ): string {
+		$redirect_attr = '';
+		if ( is_array( $atts ) && isset( $atts[ 'redirect' ] ) ) {
+			$redirect_attr = (string) $atts[ 'redirect' ];
+		}
+
+		if ( $redirect_attr === '' ) {
+			return '';
+		}
+
+		$default_redirect = home_url( '/' );
+		$redirect_url_raw = esc_url_raw( $redirect_attr );
+		$redirect_url     = $redirect_url_raw !== '' ? $redirect_url_raw : $default_redirect;
+
+		if ( function_exists( '\\wp_validate_redirect' ) ) {
+			$redirect_url = wp_validate_redirect( $redirect_url, $default_redirect );
+		}
+
+		return $redirect_url;
+	}
 }
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "passwp-posts",
-	"version": "1.3.1",
+	"version": "1.3.2",
 	"description": "Password protects all pages and posts except the front page",
 	"type": "module",
 	"scripts": {

diff --git a/passwp-posts.php b/passwp-posts.php
@@ -3,7 +3,7 @@
  * Plugin Name: PassWP Posts
  * Plugin URI: https://developer.suspended.no/passwp-posts
  * Description: Password protects all pages and posts except the front page. Logged-in users bypass the password.
- * Version: 1.3.1
+ * Version: 1.3.2
  * Author: Per Soderlind
  * Author URI: https://soderlind.no
  * License: GPL-2.0+
@@ -22,7 +22,7 @@
 defined( 'ABSPATH' ) || exit;
 
 // Plugin constants.
-define( 'PASSWP_POSTS_VERSION', '1.3.1' );
+define( 'PASSWP_POSTS_VERSION', '1.3.2' );
 define( 'PASSWP_POSTS_PATH', plugin_dir_path( __FILE__ ) );
 define( 'PASSWP_POSTS_URL', plugin_dir_url( __FILE__ ) );
 define( 'PASSWP_POSTS_BASENAME', plugin_basename( __FILE__ ) );

diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Tags: password, protection, privacy, security, access control
 Requires at least: 6.8
 Tested up to: 6.9
 Requires PHP: 8.3
-Stable tag: 1.3.1
+Stable tag: 1.3.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -115,6 +115,14 @@ You may need to exclude protected pages from caching or configure your caching p
 
 == Changelog ==
 
+= 1.3.2 =
+* Auto-redirect authenticated users to redirect page when returning to login shortcode
+* Added setting to enable/disable auto-redirect (default: enabled)
+
+= 1.3.1 =
+* New minimal-style CSS for shortcode form with gray input and black button
+* Shortcode form now automatically enqueues its own stylesheet
+
 = 1.3.0 =
 * Added shortcode [passwp_login] to render a theme-styled password form on public pages
 * Added Customize option for password placeholder text