外掛說明

A lightweight plugin that forces login for backend access in a headless WordPress setup. Keeps your WordPress dashboard private while allowing your front end (e.g. Astro, Next.js) to pull content via GraphQL/REST.

What it does

Requires authentication for /wp-admin/ and other backend pages
Always allows the login page to avoid redirect loops
Leaves key endpoints open for headless use:
- /wp-json/ (REST API)
- /graphql (WPGraphQL)
- /wp-admin/admin-ajax.php (AJAX)
- /wp-cron.php (cron)
- /robots.txt
- /sitemap*.xml (sitemaps and indexes)
- /wp-content/uploads/* (media)
- /favicon.ico
- /newrelic (New Relic monitoring)
Logged-in users visiting the backend root get redirected to the dashboard
Works with Bedrock layouts (handles root path vs /wp/)

Use case

WordPress is the content backend
Public site is built with Astro/Next.js/etc
Editors log in to WordPress. Visitors never see the backend
Front end builds and live pages can still query GraphQL/REST without authentication

Customization

Developers can customize allowed endpoints using the force_login_allowed_patterns filter:

add_filter('force_login_allowed_patterns', function($patterns) {
    $patterns[] = '#^/healthz$#';           // custom health check
    $patterns[] = '#^/status$#';            // uptime checks
    $patterns[] = '#^/wp-json/acf/v3/.*#';  // specific REST namespace
    return $patterns;
});

安裝方式

Upload the plugin files to the /wp-content/plugins/force-login directory, or install the plugin through the WordPress plugins screen directly.
Activate the plugin through the ‘Plugins’ screen in WordPress.
The plugin will automatically start protecting your backend – no configuration needed!

常見問題集

I’m locked out! How do I access my site?: Visit /wp-login.php directly to sign in. The plugin always allows access to the login page.
My front-end requests are failing. What should I do?: Verify the endpoint is on the allow list. Check the plugin description for the default allowed patterns, or use the force_login_allowed_patterns filter to add custom endpoints.
Does this work with Bedrock?: Yes! The plugin correctly handles both standard WordPress installs and Bedrock layouts where the site URL and home URL may differ.
Can I add custom endpoints?: Yes, use the force_login_allowed_patterns filter to add your own regex patterns for additional endpoints that should remain public.

使用者評論

這個外掛目前沒有任何使用者評論。

參與者及開發者

以下人員參與了開源軟體〈Headless Login Guard〉的開發相關工作。

Andrew Wilkinson

將〈Headless Login Guard〉外掛本地化為台灣繁體中文版

對開發相關資訊感興趣？

任何人均可瀏覽程式碼、查看 SVN 存放庫，或透過 RSS 訂閱開發記錄。

變更記錄

1.0.1

Added: New Relic monitoring endpoint allowlist pattern (/newrelic) to support APM monitoring
Added: WordPress.org plugin directory compatibility
Added: Proper plugin structure with activation/deactivation hooks
Added: Filter hook for customizing allowed patterns
Improved: Code organization and documentation

1.0.0

Initial release
Restricts backend (/wp-admin/) to authenticated users
Allows GraphQL and REST API endpoints for headless front-ends
Basic whitelist of essential endpoints (cron, ajax, robots.txt, sitemaps, uploads)

外掛說明

What it does

Use case

Customization

安裝方式

常見問題集

I’m locked out! How do I access my site?

My front-end requests are failing. What should I do?

Does this work with Bedrock?

Can I add custom endpoints?