Block access to wp-admin and wp-login.php

  • Resolved gamicord

    (@gamicord)


    2 years, 9 months ago

    Hello Sir,

    I want to Block all access to Wp-Admin and Wp-Login.php Pages from all members who are not site Admins.

    And I don’t want to use any plugin for this.

    The flow is that, even if people deliberately type “mydomain.com/wp-admin” or they deliberately type “mydomain.com/wp-login.php” , it should immediately and instantly redirect them to the Login or Register Pages that I have created– and they should never see the “wp- admin or “wp-login.php” Page.

    I have this Code:

    //Redirect WP Login Page
add_filter( 'login_url', 'my_login_page', 10, 3 );
function my_login_page( $login_url, $redirect, $force_reauth ) {
    return home_url( '/my-login-page/?redirect_to=' . $redirect );
}

    It works in a way that, if you try to access “mydomain.com/wp-admin“, it functions well and redirects you to my specified Login Page.

    But if you deliberately type “mydomain.com/wp-login.php“, it still loads the wp-login.php Page.

    This means that my code is still insufficient to block access to Wp-Admin and Wp-Login.php Pages.

    Then I applied this second code:

    unction custom_login_redirect() {
    // Check if the current URL contains "/wp-admin" or "/wp-login.php"
    if (strpos($_SERVER['REQUEST_URI'], '/wp-admin') !== false || strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false) {
        // Redirect to your custom login or registration page
        wp_redirect(home_url('/your-custom-login-page')); // Replace with the actual URL of your custom login page
        exit();
    }
}
add_action('init', 'custom_login_redirect');

    This code works. But it works in a very terrible way.

    I am logged in, before I inserted the code. The page slug I want users directed to, is the “my-account” Page.

    When I click Logout, it doesn’t log me out. It continues to keep me fixed and Logged in, inside the “My-Account” Page.

    2.) When I first inserted it through functions.php, it told me that it couldn’t find a way to check with server.

    See the message and error report here— https://prnt.sc/NRJy0NgPtZWz

    from all indications, it is clear that I have 2 Code snippets, but they don’t function well.

    Please, can you help with a better PHP Code Snippet that can help me totally block all access to wp-admin and wp-login.php together?

    Regards.

Viewing 1 replies (of 1 total)
  • Plugin Author Mircea Sandu

    (@gripgrip)

    2 years, 9 months ago

    Hi @gamicord,

    First of all I wanted to mention you should be extra careful when implementing such snippets as you can end up locking yourself out of the admin. If that happens please try using the WPCode Safe Mode to regain access to the admin as explained in this article: https://wpcode.com/docs/php-error-handling-safe-mode/

    Now, for the code, if you have a “my-account” page set up you should be able to use the following code:

    add_action( 'init', function () {
	global $pagenow;
	if ( 'wp-login.php' === $pagenow && ! is_user_logged_in() ) {
		wp_safe_redirect( home_url( 'my-account' ) );
		exit();
	}
	// Prevent access to admin if not an admin.
	if ( is_admin() && ! current_user_can( 'manage_options' ) ) {
		wp_safe_redirect( home_url( 'my-account' ) );
		exit;
	}
} );

    This should prevent any user that is not an admin from accessing any admin URL and if they try to access wp-login.php directly it will redirect them to the my-account page. It also makes sure if you are logged-in you can access wp-login.php since that is needed for the logout link to work.

    All that’s left is to make sure that your “my-account” page handles showing the login form or redirecting to the login page correctly.

Viewing 1 replies (of 1 total)

The topic ‘Block access to wp-admin and wp-login.php’ is closed to new replies.