Apologies @jemima - I had a false memory of a whitelist. Sorry for having steered you into a dead-end.
You have raised a very interesting question and definitely identified a large deficiency in s2memeber from my perspective. The lack of a whitelist is definitely a serious deficiency but there is a work-around with some minor pre-structuring of the site on your part using the following two plugins.
https://en-au.wordpress.org/plugins/custom-post-type-ui (Create Custom Post Types)
https://en-au.wordpress.org/plugins/user-role-editor/ (User Role Editor)
Both are extremely useful. I have both these capabilities installed on all my sites.
Here’s how you can accomplish your goal.
- Add a custom post type (CPT) called protected-pages
- Restrict all roles except administrator to edit / add / delete capabilities for protected-pages (so only the administrator can add / edit / delete WordPress pages)
- In S2Member under Post Access restrictions enter ‘all’ at level0 to restrict all posts of all types to logged in users
- Enable Alternate View Protection
Your home page and all pages you create as administrator will be public. All protected-pages (CPT-based pages) will be protected by default. Your blog will be protected.
CAVEAT: s2member does not protect the media associated with protected pages / posts. So images on the protected pages / posts would be accessible by non-members if they knew or guessed the urls. Although the addition of a s2member uri restriction for /uploads would probably do the trick this would prevent images on your public pages (including your home page) to be seen by people who are not logged in. Getting around that would require your protected pages to only embed s2member protected images which you find under Download Options / Advanced Download Restrictions.