How to make a XenForo forum private (no guest access)

How to make a XenForo forum private (no guest access)

I run several private websites where you must be a registered and approved member to view the forum content and post. There are several approaches for setting up a site for private use - the purpose of this tutorial is to explain the differences and describe my preferred approach.

The example I will use for this is the REBAA member forums I run for the Real Estate Buyers Agents Association of Australia - a not-for-profit industry association. The forums are for current members to share and discuss industry issues in a private space, plus to coordinate their association activities such as educational and professional development events.

Desired outcomes

Our goal for the private REBAA member forums was to achieve the following:
  1. prevent guest users from viewing content
  2. optimise the UI for guests viewing the forum by hiding user elements and functionality they can't use
  3. create an approval process to check that a registered user is permitted to join
This tutorial assumes you're aiming for largely the same outcome. If your goal is to simply hide content from people who aren't members (eg search engines) and don't care so much about who joins - then you won't have quite as much work to do.

Simple approach for making a site private

There is a very simple approach you can use to make a forum private. Simply change the "View" permission for the "Unregistered / Unconfirmed" group to "No":

This will prevent guests from viewing your site in any form.

However, the end result is a little messy:

... users are presented with a direct "You must be logged-in to do that" and a login form. What's more, the entire page response is a 403 error (forbidden).

There's nothing wrong with this if you are happy with the simple and blunt approach - but we decided to be a bit more informative for the REBAA website.

A more elegant approach to a private site

The REBAA member forums is linked to from the main REBAA website which is used by lots of different types of people, including potential customers for REBAA member organisations - so we decided a cleaner user interface would be a better approach.

So instead of simply denying access to the entire forum, we use a more nuanced approach:

A very simple interface - explains the purpose of the site and who will gain access.

In order to achieve this, we needed to hide a few UI elements that would normally be there and change our permission model so that we don't just return a 403 error.

Most of the UI changes can be done via the admin interface - but there's a couple which I created a simple addon called Private Site to help with - including the message that shows below the page title (you could also do this via an advertisement placement).

Here's the process I went through for REBAA:

Step 1: back up your site

Before you start making any changes to your permissions and UI, please do a full backup just in case you accidentally make a big mess of things (or worse - in case my instructions don't do what you want!!)

Step 2: install the Private Site addon

This is optional - but it will save you a bit of time and effort having to manually create some template modifications.

The addon does three things:
  • allows you to show a message on the forum home page to guests
  • hides the "New posts" button for guests
  • hides the "What's new" link from the header on mobile devices for guests
You can find the addon here:

Step 3: configure home page message to show to guests

If you're using the addon, configure the message in the Private Site options.

If you're doing it yourself, create an advert for the "Forum overview: Top" placement, and make sure it's only shown to the Unregistered / Unconfirmed usergroup.

Step 4: update user permissions

Unregistered / Unconfirmed

We need our guests to be able to view the site to avoid receiving the 403 forbidden error, but we don't want them to see the content or interact with anything else.

Start by using Quick set to set all permissions to "Never"

Then set the "View" permission to "Yes" so they can see the site (but no content).

You may also want to let guests use the contact form - but if you do, be sure to set up a CAPTCHA to help manage spam bots.

Leave everything else set to "No" permission.

Note: we could achieve the same outcome by setting all other permissions for guest users to "No" rather than "Never", however doing so leaves us open to mistakes allowing guests to view content they shouldn't. If we somehow managed to set the permissions (eg Node permissions) for the Unregistered / Unconfirmed user group to "Yes", then this will override the "No" we set by default. We never want guests viewing content in any situation - so Never is the safer choice here.

Until a user has an account in the "Valid" state, they won't be able to view any content or do anything on the site. This means disabled / rejected / invalid / unapproved / etc accounts will all be unable to view content or interact with the site - which is exactly what we want.


Set your permissions for registered users as normal.

Node permissions

Set your node permissions as normal - only users who are registered with a valid account will be able to view anything, so there is no need to set any explicit node permissions for the Unregistered / Unconfirmed user group.

Step 5: update admin options

There are a few admin options we should adjust for a private site.

User registration

Enable manual approval - you will generally want to approve members before allowing them access to your private site. Recommentation: enable


You won't want people sharing content from your private site anywhere else, so disable all sharing options. This has the added benefit of automatically hiding the Share this page widget. Recommendation: disable all sharing options

XML sitemap generation

Automatically build sitemap - if the site is private, Google won't see the content, and you most likely won't want your site indexed by search engines anyway. Recommendation: disable

Automatically submit sitemap to search engines - Recommendation: disable

Step 6: hide some navigation links from guests

Some of the links in the navbar won't do anything for guests if they can't view content, so let's clean up the UI by hiding those links.

Go to the Public navigation page in the Setup section. We can hide navigation links by adjusting the Display condition on a link.

Forums (section)

New posts - change Display condition to {$xf.options.forumsDefaultPage} != 'new_posts' && $xf.visitor.user_id

Forum list - change Display condition to {$xf.options.forumsDefaultPage} != 'forums' && $xf.visitor.user_id

What's new (section) - change Display condition to: $xf.visitor.user_id

Step 7: hide some widgets from guests

By default, the Forum statistics widget is shown to guests - but we might not want to that, especially since it shows the name of the latest member.

Go to the Widget page in the Appearance section. Like navigation links, we can hide widgets by adjusting the Display condition on a link.

Forum statistics - change Display condition to: $xf.visitor.user_id

Be sure to check any other widgets which display for guests.


It's pretty easy to set up a private site with no access to content for guests while maintaining a clean user interface.
First release
Last update
0.00 star(s) 0 ratings

More resources from shimmer