Skip to content

WooCommerce Content Restriction Strategy

Classify public and protected content first, then govern the narrowest enforceable scope, condition, priority, denied path, and rollback.

Emran // ArrayHash14 min read

A sound WooCommerce content restriction strategy classifies content before creating rules: public discovery, preview, member access, tier access, account recovery, and staff-only. For each protected item, define one authoritative condition, the narrowest target scope, rule priority, denied experience, schedule, and test cases. Never gate login, payment recovery, password reset, checkout, or support accidentally.

Restriction is authorization policy, not visual hiding. Removing a menu item or concealing a block with CSS does not protect the response, file, API, or direct URL.

Key takeaways

  • Protect the response or data source, not only the button that links to it.
  • Use whole-resource rules for whole resources and partial gates only on genuinely mixed pages.
  • Exclude account, payment, checkout, webhook, privacy, and support routes from broad URL rules.
  • Govern first-match, priority, order, and per-post overrides with a rule inventory.
  • Design different denied experiences for logged out, wrong tier, not-yet-released, expired, and payment-recovery states.

What content should remain public, and what should be gated?

Start public and protect deliberately.

Content classDefault stanceExamplesMain policy note
Public discoveryopen/indexablehomepage, topic hubs, complete public articlesearns trust and search discovery
Preview/teaserpartly openarticle introduction, sample lesson, product overviewprovide real value; avoid deceptive truncation
Member baselinegatedcore library, community guidesone clear membership condition
Tier/entitlementproduct/variation/feature gatedadvanced course, team template, expert archiveavoid role-only shortcuts
Scheduled/drippeddeny until releaselesson sequence, archive releasedistinguish “not yet” from “not eligible”
Purchased/earnedpurchase conditionone-time course or downloaddefine refund and expiry behavior
Account/recoveryalways reachable to intended customerMy Account, Pay Now, update method, reset passwordexplicit exceptions to broad rules
Staff/privatecapability/admin controlseditorial/admin resourcesdo not use commercial membership alone

A membership museum has a public lobby, preview gallery, member wing, tier vault, and a clearly open recovery desk.

The inventory reveals where partial content helps and where it creates needless complexity. A public guide with one downloadable worksheet may need a gated section. A fully private course lesson usually needs whole-resource protection plus secured video/file delivery.

What are the six parts of a complete restriction rule?

rule
= target
 + qualifying condition
 + denied action
 + priority or stored order
 + schedule
 + owner and test evidence
  1. Target: the page, post type, taxonomy, URL branch, section, file, product, or discount.
  2. Condition: subscription status/product/variation, purchase, role, spend, feature, or nested logic.
  3. Denied action: message, login, redirect, 403, 404, or purchase block.
  4. Priority: which rule wins when scopes overlap.
  5. Schedule: whether access starts later and from which date source.
  6. Governance: owner, purpose, tests, cache behavior, change history, and rollback.

At a security checkpoint, a visitor presents subscription, purchase, role, and feature evidence before the gate chooses an action.

If a rule cannot be written in plain language, it is not ready for production.

Which restriction scope should be used?

Choose by the protected resource, not by whichever settings screen is easiest.

Is the entire resource restricted?
├─ Yes → Is it a WordPress content object?
│  ├─ Yes → per-post, post-type, or taxonomy rule
│  └─ No → URL, shop/product, or download rule
└─ No → partial gate
   ├─ Gutenberg → Restricted Content block
   ├─ Elementor → container restriction
   ├─ mixed builder/editor → shortcode
   └─ custom template → PHP/helper contract

Per-post and post-type rules

Use per-post conditions for exceptions or uniquely sensitive resources. Use post-type/taxonomy rules for a coherent collection. Current ArraySubs post-type rules can target a post type, terms, or selected posts; they also expose archive behavior, denied action, and optional delayed access.

A live post-type rule marks content scope, archive visibility, and eligibility separately.

Archive behavior is an information-architecture decision. Hiding every denied item reduces discovery; showing a lock can communicate value; showing normally while restricting the body can support previews. Choose intentionally.

URL rules

Use URL rules for custom application routes or path branches that are not reliably described by WordPress objects. Current ArraySubs supports exact, prefix/starts-with, contains, and regular-expression patterns, plus exclusions and numeric priority.

A live URL rule exposes path scope and eligibility instead of treating a prefix as a complete policy.

Query strings are removed before current URL matching. Lower numeric priority runs first, and the first matching URL rule returns its allow or deny decision. A broad early allow can bypass a later restriction; a broad early deny can block recovery routes.

Partial content

Use a partial gate when the page intentionally mixes public and protected value. Current ArraySubs supports Gutenberg, Elementor, shortcode, and programmatic surfaces. Test the delivered HTML and network responses for an unauthorized session; content hidden after delivery may still be exposed.

Downloads

Protect authorization at download time. Current ArraySubs protected downloads use authenticated My Account delivery, signed nonce links, and re-checks of login, rule conditions, schedule, file, and configured limits. Still test raw storage URLs and CDN behavior. A missing UI link is not proof the file is private.

Shop access and discounts

Catalog visibility and purchase authorization are different. Current shop rules can target all products, selected products, or categories with exclusions, and can show-but-block-purchase, hide/404, redirect to login, or redirect to a page. The first stored matching shop rule wins.

Current enforcement covers several classic, add-to-cart/cart, Store API, REST, related-product, and sitemap paths for relevant actions. Administrators and shop managers bypass current shop rules, so administrator screenshots are not customer QA.

Which conditions should grant access?

Prefer evidence closest to the business promise.

PromiseStrong condition candidateCommon weak shortcut
Current paid planactive/trial subscription product or variationgeneric “subscriber” role
One-time ownershipcompleted qualifying purchaseactive subscription
Specific capabilityproduct feature entitlementmarketing tier name only
Alumni/staff/partnermanaged role or manual recordlifetime spend
Loyalty benefitpurchase history or spend with policyone current product
Complex qualificationnested AND/OR groupsmany duplicated rules

Roles are useful when another WordPress plugin consumes capabilities, but they can become stale or too broad. WordPress describes them as capability collections (WordPress roles and capabilities), not commercial membership ledgers.

Pro Feature Manager can support more granular toggles or numeric entitlements. Feature names currently act as access keys, so renaming or deletion needs controlled rule migration.

Which rule wins when restrictions overlap?

Current ArraySubs conflict UI describes a specificity order beginning with per-post restriction, then specific URL, URL pattern, post-type, and taxonomy rules. Actual enforcement exists in separate surfaces, so do not assume one universal resolver without testing.

Important current behavior:

  • ContentGating checks per-post restriction before post-type rules.
  • URL rules sort by numeric priority and stop at the first match.
  • Shop rules use stored order and first product-target match.
  • The conflicts endpoint can detect a published per-post restriction overlapped by a URL rule and identifies the per-post rule as winner.

The live conflicts page identifies an overlap and offers a deliberate resolution instead of hiding precedence.

A broad URL road and a specific post lane meet at a priority sign, showing why scope and precedence need governance.

Maintain a rule inventory rather than relying on memory.

Review that inventory as a dependency graph, not only a list. A product variation, feature key, WordPress role, URL prefix, post type, taxonomy term, redirect destination, and cache rule may each be referenced by several policies. Before renaming or removing one, identify every consuming rule and the customer states it affects. A harmless catalog cleanup can otherwise become an immediate access incident.

For a high-impact change, record the old and new dependency values, test one allowed and one denied account, verify recovery routes, and keep a timed rollback. If the rule has no owner or its dependencies cannot be traced, pause the change until the operating record is repaired.

What should a denied visitor see?

Visitor stateUseful responseAvoid
Logged outexplain that login may restore access; keep return URLgeneric 403 when login is likely fix
Logged in, no planname what grants accessambiguous “not authorized”
Wrong tieridentify required benefit and switching pathforcing repurchase without current-plan context
Drip not reachedexplain it is scheduled and when/why it opensthe non-member message
Payment recovery/on holdPay Now, method update, account, supportredirecting away from recovery
Expired/cancelledrejoin/renew policy and retained assetspretending no purchase existed
Staff/adminverify bypass is intentionalusing admin view as member test

Account, payment, reset, checkout, and support routes stay in a lifeboat outside the locked content island.

WooCommerce Memberships supports hide, excerpt, and redirect-style restriction choices with configurable messages (WooCommerce Memberships settings). MemberPress explicitly warns against protecting the Account page because expired users may need it to update payment details (MemberPress rules overview). The recovery principle applies regardless of plugin.

Should restricted content appear in search results?

Decide by intent. Public discovery pages and valuable excerpts can explain expertise and membership value. High-risk private resources, licensed downloads, internal community pages, and account content should normally not be indexed.

If paywalled article content is intended for crawling/indexing, Google documents paywalled-content markup to help distinguish the pattern from cloaking (Google paywalled-content markup). Markup does not guarantee ranking or indexing and must match the visible implementation.

Caching is part of authorization. Publicly cache public shells; bypass or vary protected responses by reliable identity/entitlement signals. Test guest-warmed cache as member and member-warmed cache as guest. Do not put private HTML into a shared public cache and hope JavaScript removes it.

Content restriction governance checklist

For every live rule, record:

  • unique name and business owner;
  • target scope and exclusions;
  • condition tree in plain language;
  • denied action, message, and destination;
  • priority or stored order;
  • schedule trigger and duration;
  • affected products, variations, roles, and feature keys;
  • account/recovery route exceptions;
  • test users and expected results;
  • cache/CDN rules;
  • creation/change date, reason, reviewer, and rollback;
  • content owner and retirement date.

Use combined conditions, URL prefix lockdown, and inline content gating for configuration after this record exists.

Fifteen-case restriction test matrix

  1. Guest through direct URL and archive/listing.
  2. Logged-in non-member.
  3. Correct active/trial member.
  4. Wrong product, tier, variation, or feature.
  5. Grace, on-hold, pending-cancellation, cancelled, and expired states.
  6. Scheduled content before and after unlock.
  7. Administrator versus real customer session.
  8. Cache warmed as guest then member, and reverse.
  9. HTML source and network response for hidden partial content.
  10. REST/Store API/product blocks/add-to-cart for shop rules.
  11. Direct download path and expired/changed nonce.
  12. Overlapping per-post, post-type, and URL rules.
  13. Login, password reset, My Account, Pay Now, checkout, and support.
  14. Mobile, incognito, cookie/session transition.
  15. Sitemap and internal links for intentionally hidden products/content.

Capture expected and actual results. Test after theme, builder, cache, payment, and rule changes.

When is ArraySubs not sufficient by itself?

ArraySubs fits WordPress/WooCommerce entitlement rules across many access surfaces. It is not DRM, secure streaming, remote SaaS authorization without integration, newsroom-style view metering, high-assurance document rights management, or a guarantee against authorized users copying/screenshooting material.

It is also unsafe to rely on any membership plugin when a cache/CDN cannot keep protected responses private or when policy requires an independent durable membership record that the plugin does not maintain.

Final recommendation

Classify content first, use the narrowest enforceable target, select evidence closest to the promise, design the denied journey, and govern priority, schedules, cache, exceptions, and rollback. Treat every restriction as live authorization code—even when it is configured through a friendly form.

After the inventory and test matrix pass, review ArraySubs Pro pricing and member experience features.

Frequently asked questions

Should I gate a whole page or only part of it?

Gate the whole resource when its entire purpose is member-only. Use partial gating only when the page intentionally combines useful public discovery with protected value.

How do URL prefix and post-type rules differ?

Post-type rules understand WordPress objects and archives. URL prefixes protect path branches, including custom routes, but need careful priority and recovery exclusions.

Do URL rules override per-post rules?

Not universally. Current conflict logic treats per-post restrictions as more specific in detected overlaps, while URL rules have their own first-match priority. Test the actual route.

Can I hide products but allow direct purchases?

Catalog visibility and purchase authorization are separate controls. Decide both and test product pages, add-to-cart, cart, Store API, related products, and sitemaps.

Does a nonce permanently protect a download?

No. A nonce helps authorize a request, but storage exposure, login, entitlement re-check, expiry, limits, and direct-file behavior still matter.

Do WordPress roles make good membership levels?

Roles can support capabilities and compatibility, but they are usually too coarse to represent payment, duration, tier, purchase, and feature history alone.

Author, technical review, and verification environment

Author: Emran, ArrayHash — product and editorial work across WooCommerce membership and access architecture.

Technical reviewer: ArraySubs Engineering Team — review scope includes rule surfaces, conditions, denied actions, precedence, schedules, downloads, shop enforcement, cache risk, and conflict governance.

Verification environment: Source and live UI review of ArraySubs 1.8.11 and ArraySubs Pro 1.1.2 on July 16, 2026, plus current WooCommerce, WordPress, Google Search, and MemberPress documentation. No live rule was saved or cache behavior mutated on the mirror.

Disclosure, limitations, and update log

  • Commercial disclosure: ArraySubs is an ArrayHash product. Restriction strategy is product-independent, and current implementation limits are explicit.
  • Limitations: Themes, page builders, caches, CDNs, REST/custom endpoints, storage, and third-party plugins can expose or overblock resources. Test the deployed stack.
  • July 16, 2026: First publication. Verified current surfaces, target/action behavior, priority/conflict semantics, recovery exclusions, live rule UI, and the fifteen-case matrix.

Continue from strategy to setup

Use a recipe when the model is settled

These articles own the decision and operating model. The ArraySubs feature map and recipes cover the exact product, billing, and customer-workflow configuration.

Written by

Emran // ArrayHash

Research and practical guidance for WooCommerce subscription operators and implementation teams.

Technical review

ArraySubs Engineering Team

Reviewed against current ArraySubs code, product documentation, and the linked primary platform sources.

From plan to working store

Build the subscription system you just mapped

Start with the free ArraySubs core, then add Pro automation when the store needs supported automatic gateways and deeper operations.

No credit card required · Keep the same subscription records as you grow