Skip to:
Content
Pages
Categories
Search
Top
Bottom

Do regular users participants need access to the WordPress dashboard?

Viewing 13 replies - 1 through 13 (of 13 total)
  • @mzaweb

    Member

    You need to make an exception for

    wp-admin/admin-ajax.php

    See https://codex.wordpress.org/AJAX_in_Plugins

    @tibmix

    Participant

    @mzaweb Thank you Daniel, but I don’t meet the requirements listed at the beginning, to understand the “AJAX_in_Plugins” :=) (I have read it anyway, why not?).
    Isn’t there any other simpler way to make an exception, as adding an “exception” line in .htaccess, or something like this?
    I thought that’s a common problem with a common solution as bbpress has been around for a while and protecting /wp-admin isn’t new either.
    Thanks.

    @tibmix

    Participant

    UPDATE:
    I’ve added this to .htaccess and apparently the problem is gone, for now:
    <Files "admin-ajax.php"
    Satisfy any
    Order allow,deny
    Allow from all
    </Files
    I found it here: https://wordpress.org/support/topic/plugin-ajax-event-calendar-aec-htaccess-and-admin-ajaxphp?replies=2

    @tibmix

    Participant

    Update to update: the problem is not fixed. Mea culpa.
    Does anyone have a solution to this?

    @mzaweb

    Member

    Can you post your full .httaccess?

    @tibmix

    Participant

    Yes, sure

    `
    AuthType Basic
    AuthName “wp-admin”
    require valid-user
    AuthUserFile “/home/vssracin/.htpasswds/public_html/vssracing/wp-admin/passwd”
    Files “admin-ajax.php”>
    Satisfy any
    Order allow,deny
    Allow from all
    /Files>
    `

    @xmasons

    Participant

    Optionally you can restrict access through functions.php using a function with !current_user_can( ‘publish_pages’ ) and add_action( ‘admin_init’, ‘no_admin_access’, 1 )

    @tibmix

    Participant

    @xmasons If I knew how to do this.. 😀

    @xmasons

    Participant

    Here’s what I have in my functions.php file to keep people who shouldn’t have access to WP admin pages.

    `
    function no_admin_access()
    {
    if ( !current_user_can( ‘publish_pages’ ) ) {
    wp_redirect( home_url() );
    die();
    }
    }
    add_action( ‘admin_init’, ‘no_admin_access’, 1 );
    `

    @tibmix

    Participant

    @xmasons Thank you.

    I added it at the end of functions.php (infocus-buddypress theme). Unfortunately no change.

    But now I know that it is something in wp-login.php; although wp-login is not in the /wp-admin folder, when I press the ‘Log in’ button (without even typing something in the username or password fields) immediately is asking for the /wp-admin password set in the .htaccess.

    I use the bbPress Login widget on the forum’s left sidebar.

    edit: I tried to remove all the widgets, unsuccessfully (because I noticed the “Lost Password” link refers to /wp-admin).

    @tibmix

    Participant

    P.S. I deactivated all plugins except for bbpress. No change.

    @tibmix

    Participant

    Hi again,

    I still have this problem. Because I deactivated all other plugins and the problem persists, my conclusion is that it’s an bbPress issue.

    So, my question goes to someone from bbPress: do authenticated forum visitors (participants) need access to /wp-admin directory in order to browse topics and posts?

    Thank you for any answer.

    @tharsheblows

    Participant

    I don’t think people need access to /wp-admin to browse the site.

    I keep everyone except logged-in admins from accessing wp-admin (popping them back to the homepage) by using the following in my functions.php

    //don't allow users to go wp-admin
    add_action( 'init', 'blockusers_init' );
    function blockusers_init() {
        if ( is_admin() && ! current_user_can( 'administrator' ) &&
           ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
            wp_redirect( home_url() );
            exit;
        }
    }
Viewing 13 replies - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.
Skip to toolbar