Do regular users participants need access to the WordPress dashboard?
-
I’ve restricted access to /wp-admin using .htaccess file within the /wp-admin directory.
I have a forum with BuddyPress + bbPress installed.
All forum users receive the default subscriber/participant roles upon registration.
Visitors not logged on are free to roam the forum (no posting though).But logged-in users are asked for the username/password that is set for site admin (for /wp-admin, specifically) immediately after accessing a forum or a topic.
How can I stop WP asking regular forum users for username/password set for /wp-admin?
I can provide url to site, a test user credentials and the content of .htaccess file.
Thank you.
T.
-
You need to make an exception for
wp-admin/admin-ajax.php
@mzaweb Thank you Daniel, but I don’t meet the requirements listed at the beginning, to understand the “AJAX_in_Plugins” :=) (I have read it anyway, why not?).
Isn’t there any other simpler way to make an exception, as adding an “exception” line in .htaccess, or something like this?
I thought that’s a common problem with a common solution as bbpress has been around for a while and protecting /wp-admin isn’t new either.
Thanks.UPDATE:
I’ve added this to .htaccess and apparently the problem is gone, for now:
<Files "admin-ajax.php"
Satisfy any
Order allow,deny
Allow from all
</Files
I found it here: https://wordpress.org/support/topic/plugin-ajax-event-calendar-aec-htaccess-and-admin-ajaxphp?replies=2Update to update: the problem is not fixed. Mea culpa.
Does anyone have a solution to this?Can you post your full .httaccess?
Yes, sure
`
AuthType Basic
AuthName “wp-admin”
require valid-user
AuthUserFile “/home/vssracin/.htpasswds/public_html/vssracing/wp-admin/passwd”
Files “admin-ajax.php”>
Satisfy any
Order allow,deny
Allow from all
/Files>
`Optionally you can restrict access through functions.php using a function with !current_user_can( ‘publish_pages’ ) and add_action( ‘admin_init’, ‘no_admin_access’, 1 )
@xmasons If I knew how to do this.. 😀
Here’s what I have in my functions.php file to keep people who shouldn’t have access to WP admin pages.
`
function no_admin_access()
{
if ( !current_user_can( ‘publish_pages’ ) ) {
wp_redirect( home_url() );
die();
}
}
add_action( ‘admin_init’, ‘no_admin_access’, 1 );
`@xmasons Thank you.
I added it at the end of functions.php (infocus-buddypress theme). Unfortunately no change.
But now I know that it is something in wp-login.php; although wp-login is not in the /wp-admin folder, when I press the ‘Log in’ button (without even typing something in the username or password fields) immediately is asking for the /wp-admin password set in the .htaccess.
I use the bbPress Login widget on the forum’s left sidebar.
edit: I tried to remove all the widgets, unsuccessfully (because I noticed the “Lost Password” link refers to /wp-admin).
P.S. I deactivated all plugins except for bbpress. No change.
Hi again,
I still have this problem. Because I deactivated all other plugins and the problem persists, my conclusion is that it’s an bbPress issue.
So, my question goes to someone from bbPress: do authenticated forum visitors (participants) need access to /wp-admin directory in order to browse topics and posts?
Thank you for any answer.
I don’t think people need access to /wp-admin to browse the site.
I keep everyone except logged-in admins from accessing wp-admin (popping them back to the homepage) by using the following in my functions.php
//don't allow users to go wp-admin add_action( 'init', 'blockusers_init' ); function blockusers_init() { if ( is_admin() && ! current_user_can( 'administrator' ) && ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) { wp_redirect( home_url() ); exit; } }
- You must be logged in to reply to this topic.