How to Monitor Password-Protected Websites for Changes

Visualping monitors pages behind login forms using two different methods

Most website monitoring tools stop at the login page. They can track public pages, but the moment content sits behind a username and password, standard crawlers cannot reach it.

That is a problem because some of the most important pages to monitor are gated. Internal dashboards, supplier portals, SaaS platforms like Jira or Salesforce, government RFP systems, regulatory filing portals, and competitor pages that require registration all sit behind login forms.

Visualping solves this. It offers two methods to monitor password-protected websites for changes, each suited to different situations. This guide walks through both, step by step.

What You Will Learn

• Why Monitor Password-Protected Pages?
• Two Methods to Monitor Password-Protected Websites
• Method 1: Visualping Chrome Extension (Easiest)
• Method 2: Pre-Actions with Element Selector
• Troubleshooting Common Issues
• Security Considerations
• FAQ: Monitoring Password-Protected Websites

Why Monitor Password-Protected Pages?

Before the how-to, consider why this matters. Pages behind login forms contain information that changes frequently and matters a lot:

• SaaS dashboards (Jira, Asana, Salesforce): Track issue status changes, pipeline updates, or configuration changes without logging in manually every day
• Supplier and vendor portals: Catch pricing changes, policy updates, or contract modifications the moment they publish
• Government RFP sites: Get alerted when new requests for proposals appear so you can respond before deadlines
• Regulatory filing portals: Monitor compliance updates that agencies post behind authenticated portals
• Competitor member areas: Track changes to pricing tiers, feature pages, or documentation that require registration as part of your competitive intelligence workflow

The common thread: these are pages where missing a change has real consequences, and checking manually does not scale.

Two Methods to Monitor Password-Protected Websites

Visualping offers two approaches. Here is when to use each:

Choose the right method based on your authentication setup

Method 1: Visualping Chrome Extension (Easiest)

The Visualping Chrome extension is the simplest way to monitor pages behind a login. It captures your active browser session, so if you can see the page in Chrome, Visualping can monitor it.

Steps

1. Install the Visualping Chrome extension from the Chrome Web Store
2. Navigate to the password-protected page in your browser and log in normally
3. Once you see the page you want to monitor, click the Visualping extension icon
4. Choose your monitoring mode:
   • Device mode: Uses your local browser session. Works with any authentication method, including two-factor authentication and single sign-on. The check runs on your machine.
   • Server mode: Captures your session data and sends it to Visualping's servers for background monitoring. More reliable for frequent checks but requires sessions that do not expire quickly.

The extension automatically captures cookies and local storage values from your active browser session. This means complex authentication flows (2FA, SSO, OAuth) are handled automatically without any manual cookie extraction. In Server mode, these captured session values are sent to Visualping's servers so checks can run in the background.

5. Select the area of the page to monitor (or monitor the full page)
6. Set your check frequency and notification email
7. Click Start Monitoring

When to use this method

Use the Chrome extension when:

• The site uses complex authentication (2FA, SSO, OAuth)
• You want the fastest setup with no configuration
• You are already logged into the site in Chrome

Limitations

Device mode checks only run when your computer is on and Chrome is open. For 24/7 monitoring, use Server mode or pre-actions (Method 2).

Method 2: Pre-Actions with Element Selector

Pre-actions tell Visualping's server-side crawler to perform login steps before taking a screenshot. You define a sequence of type and click actions that replicate what you do manually: type your username, type your password, click the login button, wait for the page to load.

Steps

Step 1: Go to visualping.io and paste the URL of the login page into the search bar. Click GO.

Step 2: The page preview loads. Scroll down to the Advanced section and expand Perform actions.

Step 3: Set up the username action. Under the first action:

• Change the dropdown from Click to Type
• In the "Words to type" field, enter your username or email
• Click the arrow icon (element selector) and click on the username field in the page preview above

If the element selector does not highlight the correct field, you can manually enter the field's ID or XPath. To find it, right-click the username field in any browser, choose Inspect, and look for the

id

<input>

Enter it in the "Field name (or XPath)" box. Alternatively, use the XPath format:

//input[@id="email"]

Step 4: Click + Add action for the password. Again select Type, enter your password in "Words to type", and use the element selector to click the password field in the preview. Or enter the field's ID or XPath manually.

Step 5: Click + Add action for the login button. Keep the action set to Click. Use the element selector to click the login/submit button in the preview. Or type the button text ("Log In", "Submit", "Sign In") in the "Button name (or XPath)" field.

Step 6: Click + Add action and select Wait. Set it to 2-3 seconds. This gives the page behind the login form time to load before Visualping takes the screenshot.

Step 7: Click GO to test. If the preview shows the authenticated page, the pre-actions are working.

Step 8: Set your check frequency, select the area of the page to monitor, enter your notification email, and click Start Monitoring.

Finding XPath or Element IDs

If the element selector does not work (some pages use custom UI components that are hard to click), you can find the element's XPath manually:

In Chrome (or any Chromium browser):

1. Right-click the form field and select Inspect (see Chrome DevTools DOM docs for a full walkthrough)
2. In the Elements panel, the

   <input>

   element is highlighted
3. Right-click the highlighted element, go to Copy, then Copy XPath
4. Paste the XPath into Visualping's "Field name (or XPath)" box

In Firefox:

1. Right-click the form field and select Inspect Element
2. In the Inspector panel, right-click the highlighted element
3. Go to Copy, then XPath

The XPath typically looks like

//input[@id="username"]

//button[@type="submit"]

When to use this method

Use pre-actions when:

• The site has a standard username/password login form
• You need 24/7 server-side monitoring (not dependent on your computer being on)
• The site does not require two-factor authentication

Limitations

Pre-actions do not work with two-factor authentication, CAPTCHA-protected logins, or JavaScript-heavy single-page app login flows that the crawler cannot render. For those situations, use the Chrome extension (Method 1), which automatically captures your session regardless of the authentication method.

Go deeper: How to Monitor Regulatory Compliance Changes | Website Defacement Monitoring

Troubleshooting Common Issues

If you run into problems when you monitor password-protected websites, start here.

The preview shows the login page instead of the authenticated content

• Pre-actions: Double-check that the element selectors or XPaths point to the correct fields. Test by clicking GO after each action to see where the process breaks.
• Chrome extension: Your session may have expired. Log in again in Chrome and the extension will automatically recapture your session data.
• Wait time: Increase the wait action to 5-10 seconds. Some sites load slowly after login.

The crawler logs in but monitors the wrong page

Make sure the URL in Visualping is the page you want to monitor after login, not the login page itself. Some sites redirect after login to a default dashboard. If you need a specific page, use the direct URL of that page.

Changes are detected but they are just session-specific elements

Use Visualping's area selector to exclude dynamic elements like timestamps, session IDs, or "Last logged in" messages. Focus the monitoring area on the content that actually matters.

The site blocks Visualping's crawler

Some sites detect and block automated access. The Chrome extension in Device mode avoids this because it uses your real browser. For server-side methods, try adding a longer wait time or contact Visualping support for help with specific sites. For public-facing pages, website defacement monitoring can also detect unauthorized changes.

Security Considerations

When you provide login credentials to any monitoring tool, keep these points in mind:

• Visualping encrypts credentials used in pre-actions. They are stored securely and used only for the crawl.
• Use a dedicated monitoring account where possible. Create a separate login with read-only access rather than using your personal admin credentials.
• Review permissions regularly. If you change your password or revoke access, update your Visualping job to match.

For a detailed guide on session security best practices, see the OWASP Session Management Cheat Sheet.

For organizations with strict security policies, the Chrome extension in Device mode keeps all authentication local to your machine. No credentials are sent to Visualping's servers. If your organization monitors multiple regulatory websites, the same security considerations apply to each tracked page.

FAQ: Monitoring Password-Protected Websites

These are the most common questions we get from users who monitor password-protected websites with Visualping.

Can Visualping monitor pages that require two-factor authentication? Yes. Use the Chrome extension (Method 1), which automatically captures your session after you complete 2FA in the browser. Pre-actions (Method 2) cannot handle 2FA because the crawler cannot receive or enter a verification code.

How often can I check a password-protected page? The same frequencies available for any Visualping job: every 5 minutes, 30 minutes, hourly, daily, or weekly.

What happens when my session expires? If using the Chrome extension in Server mode, the crawler may see the login page instead of the authenticated content when the session expires. You will get an alert showing the "change." Log back into the site in Chrome and the extension will recapture your session automatically. In Device mode, the extension uses your live browser session, so staying logged in keeps monitoring active.

Can I monitor multiple pages behind the same login? Yes. Set up separate Visualping jobs for each page. If using pre-actions, each job will perform the login independently. If using the Chrome extension, each job captures its own session.

Does this work with single sign-on (SSO) systems like Okta or Azure AD? Yes. The Chrome extension handles SSO because it automatically captures your active browser session, including all cookies and local storage values set by the SSO provider. Pre-actions generally cannot replicate SSO flows.

Is it safe to store my login credentials in Visualping? Visualping encrypts credentials used in pre-actions. For maximum security, use a dedicated read-only account and the Chrome extension in Device mode, which keeps authentication entirely on your machine.

Can I monitor password-protected RSS or Atom feeds? Yes. If the feed URL requires authentication, paste it into Visualping and use the Cookie action under Perform actions to add the required authentication cookies manually. This is one of the edge cases where adding cookies directly is the best approach. For public feeds that do not require a login, see RSS feed monitoring alternatives.