Skip to main content

Looking for a way to password protect your School of Medicine website? Whether you want to restrict access to part of your website or the whole thing, you have several ways to lock down the content. Simply choose the approach below that works best for you and follow the steps.

What is sensitive information?

Sensitive information (Tier 2 or 3 in the Information Classification Standard) usually has specific protections in law or policy because it could pose risks to people or the University. has more information

Examples of sensitive information include:

  • Full or partial Social Security numbers (SSN)
  • Credit card numbers and bank account information
  • Passport or Driver’s license numbers
  • Medical information with names or other identifying information
  • Intellectual property and patents
  • Research involving identifiable human subjects
  • Passphrases, passwords, and keys
  • Student records or personnel records

View the Safe Computing at UNC website or UNC’s Information Classification Standard policy for more information.

Sensitive Information Restrictions

Sensitive information, including PHI cannot be added to any School of Medicine website.

Even though you can password protect information, these security measures are not strong enough to store sensitive information, including Protected Health Information (PHI). More details about sensitive information can be found at the bottom of this page.

Password Protect a Single Page

Please follow one of the two methods below to password protect a single page in the School of Medicine’s web system.

Using Onyen

Pages can be password protected using Onyen authentication. This method will allow anyone with an Onyen to log in and access the content. Note that the authentication can not be limited to a subset of Onyen users such as a single department.

This solution requires the use of the UNC Permissions plugin. You will first need to ensure that this plugin has been activated on your website.

  1. Select Plugins in the Dashboard. Note that only Administrators can see and edit site plugins. If you don’t see Plugins in the dashboard then you are not an administrator and will need to get an administrator to check if the plugin is installed.
    Screenshot of the Dashboard that shows the Plugins option.
  2. Either search for or find the the UNC Permissions Plugin in the list.
    Screenshot of some of the available plugins, including the UNC Permissions Plugin.
  3. Activate the plugin if it’s not already active.

Once the plugin has bee activated, Onyen authentication can be used on a page.

  1. Log in to your website.
  2. Go to the page you wish to password protect.
  3. Edit the page.
  4. In the Onyen Restricted Content box in the right-hand column, select the Require Onyen Authentication option.
    Screenshot of the Onyen Restricted Content options.
  5. Save the changes
  6. Visitors will be required to log in through UNC’s Single Sign-On before they can view the page.
    Screenshot of UNC's Single Sign-On.

Using a Unique Password

The use of shared passwords is not a secure way of protecting information.

Example of when a unique password might be useful

Let’s say you wish to have someone review the content on a new web page before the page is made available on your website. Rather than give the reviewer access to the website (which is what they would need to see a draft page), you could publish the page with password protection. All you would have to do is send the link/url and password to the reviewer for them to access the page. Because the web page will eventually be available to the public, no significant damage would occur should someone else gain access to the page.

  1. Log in to your website.
  2. Go to the page you wish to password protect.
  3. Edit the page.
  4. In the Publish box located in the right-hand sidebar, click on the Edit link located next to Visibility: Public.Screenshot of where to enable password protection on a page.
  5. Select the Password protected option.
  6. Enter the password you wish to use.
  7. Publish the page

Visitors will be prompted to enter the password before they can view the page. Additionally, WordPress will prepend “Protected” before the title of the page.

Screenshot of a password protected page with "Protected:" listed before the page title.

The same password can be used on multiple pages to allow users to log in to all content at once. The first time a visitor enters a password, it will automatically unlock all pages that use that same password.

Password Protect an Entire Site

If you’re looking for even more protection, it’s possible to password protect your entire WordPress website. The entire site can be password protected using Onyen authentication. This method will allow anyone with an Onyen to log in and access the website. Note that the authentication cannot be limited to a subset of Onyen users such as a single department.

Examples of when an entire site is password protected:

  • When a new site is under development. The password protection can be lifted when the site is ready to be made public.
  • To use the site as an intranet.

Contact the School of Medicine’s IT Web Team to request help in password protecting an entire site.

Media Files Cannot Be Password Protected

Media files (images, documents, audio and video) uploaded to a School of Medicine web site cannot be password protected.

We’ve seen users link to a document from a password protected page as a means of working around this but this does not protect the document. The page is protected in this instance, not the document.

To properly protect a media file, it will need to be uploaded to an external resource that allows for password protection (see options below). Once that is set up, you can add a link on your website to the resource.

External Resources

External resources that allow you to password protect content include Teams, SharePoint and OneDrive.

Sensitive Information and Policies

What is Sensitive Information?

The University maintains an information classification standard that provides extensive guidance on what is considered classified information and what is not. Please visit the Safe Computing website or the Information Classification Standards website for examples of sensitive data and the tiers they fall into.

Policies, Guidelines and Resources

  1. Privacy Office
  2. Sensitive Information Storage Offerings – outlines the cost and storage space available for the different options of hosting sensitive data.
  3. UNC’s Information Classification Standard describes four “tiers” of information.  Tier 2 and 3 are “sensitive” information.
  4. UNC’s policy on Transmission of Sensitive Information Standard.
  5. What is sensitive information? from the Safe Computing at UNC website.
  6. Sensitive Information Help Desk article.
  7. School of Medicine’s Information Security and Privacy web site. The site contains a wealth of information including best practices, HIPAA training, and other security related resources.
  8. Need guidance on what is not sensitive information? Reference the non-sensitive information examples from the Safe Computing at UNC website.