[tibmix]

I’ve restricted access to /wp-admin using .htaccess file within the /wp-admin directory.
I have a forum with BuddyPress + bbPress installed.
All forum users receive the default subscriber/participant roles upon registration.
Visitors not logged on are free to roam the forum (no posting though).

But logged-in users are asked for the username/password that is set for site admin (for /wp-admin, specifically) immediately after accessing a forum or a topic.

How can I stop WP asking regular forum users for username/password set for /wp-admin?

I can provide url to site, a test user credentials and the content of .htaccess file.
Thank you.
T.

[Daniel Dvorkin]

You need to make an exception for

wp-admin/admin-ajax.php

See https://codex.wordpress.org/AJAX_in_Plugins

[tibmix]

@mzaweb Thank you Daniel, but I don’t meet the requirements listed at the beginning, to understand the “AJAX_in_Plugins” :=) (I have read it anyway, why not?).
Isn’t there any other simpler way to make an exception, as adding an “exception” line in .htaccess, or something like this?
I thought that’s a common problem with a common solution as bbpress has been around for a while and protecting /wp-admin isn’t new either.
Thanks.

[tibmix]

UPDATE:
I’ve added this to .htaccess and apparently the problem is gone, for now:
<Files "admin-ajax.php"
Satisfy any
Order allow,deny
Allow from all
</Files
I found it here: https://wordpress.org/support/topic/plugin-ajax-event-calendar-aec-htaccess-and-admin-ajaxphp?replies=2

[tibmix]

Update to update: the problem is not fixed. Mea culpa.
Does anyone have a solution to this?

[Daniel Dvorkin]

Can you post your full .httaccess?

[tibmix]

Yes, sure

`
AuthType Basic
AuthName “wp-admin”
require valid-user
AuthUserFile “/home/vssracin/.htpasswds/public_html/vssracing/wp-admin/passwd”
Files “admin-ajax.php”>
Satisfy any
Order allow,deny
Allow from all
/Files>
`

[xmasons]

Optionally you can restrict access through functions.php using a function with !current_user_can( ‘publish_pages’ ) and add_action( ‘admin_init’, ‘no_admin_access’, 1 )

[tibmix]

@xmasons If I knew how to do this.. 😀

[xmasons]

Here’s what I have in my functions.php file to keep people who shouldn’t have access to WP admin pages.

`
function no_admin_access()
{
if ( !current_user_can( ‘publish_pages’ ) ) {
wp_redirect( home_url() );
die();
}
}
add_action( ‘admin_init’, ‘no_admin_access’, 1 );
`

[tibmix]

@xmasons Thank you.

I added it at the end of functions.php (infocus-buddypress theme). Unfortunately no change.

But now I know that it is something in wp-login.php; although wp-login is not in the /wp-admin folder, when I press the ‘Log in’ button (without even typing something in the username or password fields) immediately is asking for the /wp-admin password set in the .htaccess.

I use the bbPress Login widget on the forum’s left sidebar.

edit: I tried to remove all the widgets, unsuccessfully (because I noticed the “Lost Password” link refers to /wp-admin).

[tibmix]

P.S. I deactivated all plugins except for bbpress. No change.

[tibmix]

Hi again,

I still have this problem. Because I deactivated all other plugins and the problem persists, my conclusion is that it’s an bbPress issue.

So, my question goes to someone from bbPress: do authenticated forum visitors (participants) need access to /wp-admin directory in order to browse topics and posts?

Thank you for any answer.

[tharsheblows]

I don’t think people need access to /wp-admin to browse the site.

I keep everyone except logged-in admins from accessing wp-admin (popping them back to the homepage) by using the following in my functions.php

//don't allow users to go wp-admin
add_action( 'init', 'blockusers_init' );
function blockusers_init() {
    if ( is_admin() && ! current_user_can( 'administrator' ) &&
       ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
        wp_redirect( home_url() );
        exit;
    }
}