Àpèjúwe
A lightweight plugin that forces login for backend access in a headless WordPress setup. Keeps your WordPress dashboard private while allowing your front end (e.g. Astro, Next.js) to pull content via GraphQL/REST.
What it does
- Requires authentication for
/wp-admin/and other backend pages - Always allows the login page to avoid redirect loops
- Leaves key endpoints open for headless use:
/wp-json/(REST API)/graphql(WPGraphQL)/wp-admin/admin-ajax.php(AJAX)/wp-cron.php(cron)/robots.txt/sitemap*.xml(sitemaps and indexes)/wp-content/uploads/*(media)/favicon.ico/newrelic(New Relic monitoring)
- Logged-in users visiting the backend root get redirected to the dashboard
- Works with Bedrock layouts (handles root path vs
/wp/)
Use case
- WordPress is the content backend
- Public site is built with Astro/Next.js/etc
- Editors log in to WordPress. Visitors never see the backend
- Front end builds and live pages can still query GraphQL/REST without authentication
Customization
Developers can customize allowed endpoints using the force_login_allowed_patterns filter:
add_filter('force_login_allowed_patterns', function($patterns) {
$patterns[] = '#^/healthz$#'; // custom health check
$patterns[] = '#^/status$#'; // uptime checks
$patterns[] = '#^/wp-json/acf/v3/.*#'; // specific REST namespace
return $patterns;
});
Ìgbéwọlẹ̀
- Upload the plugin files to the
/wp-content/plugins/force-logindirectory, or install the plugin through the WordPress plugins screen directly. - Activate the plugin through the ‘Plugins’ screen in WordPress.
- The plugin will automatically start protecting your backend Ìtumọ̀ Yorùbá: – no configuration needed!
FAQ
-
IÌtumọ̀ Yorùbá: ’m locked out! How do I access my site?
-
Visit
/wp-login.phpdirectly to sign in. The plugin always allows access to the login page. -
My front-end requests are failing. What should I do?
-
Verify the endpoint is on the allow list. Check the plugin description for the default allowed patterns, or use the
force_login_allowed_patternsfilter to add custom endpoints. -
Does this work with Bedrock?
-
Yes! The plugin correctly handles both standard WordPress installs and Bedrock layouts where the site URL and home URL may differ.
-
Can I add custom endpoints?
-
Yes, use the
force_login_allowed_patternsfilter to add your own regex patterns for additional endpoints that should remain public.
Àwọn àgbéyẹ̀wò
Kò sí àwọn àgbéyẹ̀wò fún plugin yìí.
Àwọn Olùkópa & Olùgbéejáde
“Headless Login Guard” jẹ́ ètò ìṣàmúlò orísun ṣíṣí sílẹ̀. Àwọn ènìyàn wọ̀nyí ti ṣe ìkópa sí plugin yìí.
Àwọn Olùkópa
Túmọ̀ “Headless Login Guard” sí èdè rẹ.
Ṣe o nífẹ̀ẹ́ sí ìdàgbàsókè?
Ṣàwárí koodu, ṣàyẹ̀wò ibi ìpamọ́ SVN, tàbí ṣe àgbékalẹ̀ sí àkọsílẹ̀ ìdàgbàsókè nípasẹ̀ RSS.
Àkọsílẹ̀ àwọn àyípadà
1.0.1
- Added: New Relic monitoring endpoint allowlist pattern (
/newrelic) to support APM monitoring - Added: WordPress.org plugin directory compatibility
- Added: Proper plugin structure with activation/deactivation hooks
- Added: Filter hook for customizing allowed patterns
- Improved: Code organization and documentation
1.0.0
- Initial release
- Restricts backend (
/wp-admin/) to authenticated users - Allows GraphQL and REST API endpoints for headless front-ends
- Basic whitelist of essential endpoints (cron, ajax, robots.txt, sitemaps, uploads)