I'm using this code to prevent user to access my login page:
global $pagenow;
if ( 'wp-login.php' == $pagenow && ! in_array( ! empty( $_GET['action'] ) ? $_GET['action'] : '', array( 'lostpassword', 'logout', ) ) )
{
global $wp_query;
$wp_query->set_404();
status_header( 404 );
get_template_part( 404 );
exit();
}
It works well and I can't access login page anymore. I also use Simple History plugin to track logs and I still see that someone tries to login my site so many times.
Failed to login with username "*********" (username does not exist) warning
I was wondering why someone can access my login page. Am I missing something in above code?
Related
Someone has asked this question before, but I have tried the code and when I try to log back in via wp-admin I get unexpected error:
PHP Fatal error: Uncaught Error: Call to a member function set_is_vat_exempt() on null
Disable tax for non logged in users
Can someone help me? This is the code, I am not sure what bit is causing the error.
add_action( 'init', 'wc_tax_exempt_unlogged' );
function wc_tax_exempt_unlogged() {
// Getting user data for logged users
if( is_user_logged_in() ){
$current_user = wp_get_current_user();
$current_user_id = $current_user->ID;
$current_user_roles = $current_user->roles;
$bilal_id = 0;
}
// Exempting of VAT non logged users, customers and the main admin ID (you)
if( ! is_user_logged_in() || in_array( 'customer', $current_user_roles ) || $bilal_id == $current_user_id ){
WC()->customer->set_is_vat_exempt(true);
}
}
Thanks
add_action('init','block_non_logged_in_users');
function block_non_logged_in_users(){
if(!is_user_logged_in() && $_SERVER['SCRIPT_URI'] !='https://example.com/wp-login.php'){
die('Not logged in!');
}
}
Is the code above ideal way to turn a WP site into a private company intranet? Where only logged in user can access all pages/full site.
There's more than one way to do this, but I would use the global $pagenow
add_action( 'init', 'block_non_logged_in_users' );
function block_non_logged_in_users() {
global $pagenow;
if ( ! is_user_logged_in() && 'wp-login.php' !== $pagenow ) {
wp_die( __( 'You must be logged in to view this site.', 'textdomain' ), 'Not Logged In' );
}
}
So, I would like to deny users the ability to access the wordpress dashboard. But, I want to allow users to use Front End PM which uses AJAX for sending messages between users.
How can I allow the PMs but deny all access to the dashboard?
The classic functions.php approach:
add_action( 'init', 'my_custom_dashboard_access_handler');
function my_custom_dashboard_access_handler() {
// Check if the current page is an admin page
// && and ensure that this is not an ajax call
if ( is_admin() && !( defined( 'DOING_AJAX' ) && DOING_AJAX ) ){
//Get all capabilities of the current user
$user = get_userdata( get_current_user_id() );
$caps = ( is_object( $user) ) ? array_keys($user->allcaps) : array();
//All capabilities/roles listed here are not able to see the dashboard
$block_access_to = array('subscriber', 'contributor', 'my-custom-role', 'my-custom-capability');
if(array_intersect($block_access_to, $caps)) {
wp_redirect( home_url() );
exit;
}
}
}
Unfortunately, this will redirect from AJAX... thoughts?
If I use User Role Editor... can users access the dashboard?
Essentially, only allow admins to access the dashboard... without limiting AJAX.
You can use
function sm_restrict_admin_with_redirect() {
if( defined('DOING_AJAX') && DOING_AJAX ) {
//Allow ajax calls
return;
}
if( ! current_user_can( "manage_options" ) ) {
//Redirect to main page if the user has no "manage_options" capability
wp_redirect( get_site_url() );
exit;
}
}
add_action( 'admin_init', 'sm_restrict_admin_with_redirect', 1 );
To resolve stupidity with a 3rd-party plugin, I had to give subscriber level users some edit capabilities that I don't want them to actually have. (This does not give them access to edit links, but they could access the edit URL directly if they were clever.) Since my site has only subscriber and administrative users, I can solve the problem by simply amending the capability check in wp-admin/post.php to require an additional capability that subscribers don't have, like so:
if ( ! current_user_can( 'edit_post', $post_id ))
wp_die( __( 'Sorry, you are not allowed to edit this item.' ) );
Becomes:
if ( ! current_user_can( 'edit_post', $post_id ) OR ! current_user_can('edit_pages'))
wp_die( __( 'Sorry, you are not allowed to edit this item.' ) );
This works perfectly, but I know that it will be overwritten and need to be re-done every time Wordpress updates. Is there a way to apply this fix in a more permanent manner via a filter or similar?
You don't need to modify post.php file. Use this code in your functions.php:
add_filter('user_has_cap',function($allcaps,$need_caps, $args) {
if ($_SERVER['SCRIPT_NAME']=='/wp-admin/post.php' && isset($_GET['action']) && $_GET['action']=='edit' && $args[0]=='edit_post' && ! current_user_can('edit_pages')) {
foreach ($need_caps as $cap) {
unset($allcaps[$cap]);
}
}
return $allcaps;
},10,3);
The above comment works.... and so does this, just add either to your functions file.
function authority_check(){
global $pagenow;
if(is_admin() && !current_user_can('manage-capabilities')){
if(in_array($pagenow,array('post.php')) || in_array($pagenow, array('post-new.php'))){
wp_die(__( 'Sorry, you are not allowed to edit this item.'));
}
}
}
add_action('admin_init', 'authority_check');
We have created a site where a user enters a coupon code and it logs them in by creating a cookie by the name of couponid, then we save that cookie to the WooCommerce session because that cookie actually is the category id from which the products are displayed.
Now sometimes the products get displayed, sometimes not, and whenever our custom cookie is set in the browser and we go to /wp-admin to login, it gives us the following error:
Fatal error: Call to a member function get() on a non-object
The above error on the login screen of WordPress is coming from the following function in our functions.php file:
function gfc_insert_coupon_code_to_session(){
if(
is_user_logged_in()
|| ! array_key_exists( 'couponid', $_COOKIE )
|| WC()->session->get( 'couponid', 0 )
){
return;
}
$couponID = esc_attr( $_COOKIE['couponid'] );
if( $couponID ){
WC()->session->set( 'couponid', $couponID );
}
}
add_action( 'woocommerce_init', 'gfc_insert_coupon_code_to_session' );
Try to use:
WC()->session->set( 'couponid', $couponID );
Before calling:
WC()->session->get( 'couponid', 0 )
Test if your are on Back Office, WC()->session isn't set:
if( !is_admin() ) {
The if( !is_admin() ) { ... } fix
did the job for me. I changed the email template and if I tried to resend the email from the backend I received this error. So the admin fix was good.