I have created a custom post type for creating and sending proposals. I password protected the posts, the password is the client’s email address (the value of a custom field).

Even though it’s already a pretty good security, one can still guess the post. Especially since the URL structure is site.com/mycustomposttype/12345 (12345 being the post ID). I’d rather post something completely untraceable by someone who doesn’t have a direct link.

I managed to create a function that generates a custom token upon post creation and saves it to the custom field of the post.

Is there a way to make posts accessible only (with password) via URL+token?

Of course this means that the post is fully accessible (404?) via a normal URL (even with a password).

Another solution would be to modify the post url structure, adding that unique token at the end. But my fear is that the url+token will be made searchable by google for example.

Thanks in advance for any input!