Comments on: WP Block Admin

By: Callum

Callum — Mon, 09 Jan 2012 09:21:47 +0000

Wow, I had never noticed that before, that’s definitely a bug, thanks for sharing. I’ve updated the plugin to use get_option(‘home’) instead of siteurl. May I credit you with a link in the changelog?

By: Nancy

Nancy — Sun, 08 Jan 2012 23:52:26 +0000

Thanks so much for the plugin! I did make one change because I normally install WordPress in a subdirectory. In the default redirect, I changed

get_option(‘siteurl’)

get_bloginfo(‘url’);

Thanks, again!

By: Callum

Callum — Sun, 13 Nov 2011 10:02:06 +0000

No, not necessarily. It depends on what type of vulnerability is being attacked. If your objective is to increase the security of WordPress, then using basic authentication is the best option. It’s a completely separate layer of security, completely independent of WordPress, that will protect your site from any automated attack against wp-admin. If you’re storing highly sensitive data in WordPress that sophisticated attackers are directly targeting, then you ought to store it elsewhere! However, if your objective is to protect against automated attacks against WordPress, then the basic authentication option will give you a good protection against that.

On the other hand, if WordPress offers sufficient security for your needs, and you simply want to keep regular users out of the wp-admin interface, then the plugin is my recommendation.

By: Websearcher

Websearcher — Sat, 12 Nov 2011 22:07:48 +0000

Hi,

Thank you for your quick answer,

So any attack on any file in /wp-admin/ will be rejected thanks to your plugin and you say it will have almost the same strenght as an htaccess/htpasswd on /wp-admin/ ?

(i read most of attacks were happening on wp-admin)

Thank you !

By: Callum

Callum — Sat, 12 Nov 2011 21:45:48 +0000

PS> As an after thought, given the choice between basic auth and the plugin, I’d choose the plugin because the admin is simpler. Adding new users, removing users, etc is all handled within WordPress.

By: Callum

Callum — Sat, 12 Nov 2011 21:45:01 +0000

If you use the plugin, the only potential access to the wp-admin interface is through an exploit in WordPress. Security is a relative thing, it’s hard to provide absolutes. In my opinion, using basic authentication (htaccess / htpasswd) is probably more “secure” than the plugin, simply because it’s less common, and so much less likely to be exploited. But to be honest, I think either method provides sufficient security for any likely use of a WordPress site. Unless you have the resources to security audit every line of WordPress code, then you’ll only ever be as “secure” as WordPress is.

I would suggest using either the basic authentication or plugin approach, but not both, and I would strongly recommend against renaming the wp-admin folder, I think that will cause serious problems.

By: Websearcher

Websearcher — Sat, 12 Nov 2011 00:59:06 +0000

Hi Callum

First thank you for your great plugin, awesome job !

I have a security question about it :

Till then, i had a htaccess /htpasswd on /wp-admin/

Since i installed your plugin, i removed this htaccess, as now any attempt to acces a file in /wp-admin/ is redirected to the url i specified in wp-block-admin.php

So is it as secure as the htaccess ?

(I will also change the name “wp-admin”)

Thank you for your opinion

By: Callum

Callum — Mon, 09 May 2011 20:34:29 +0000

The plugin itself has no caching and should leave behind no after effects. Without knowing more, I’d guess that something else is redirecting users from wp-admin. I think it’s standard for WordPress to send users to their profile page on login if they’re contributor level users, but I’m not 100% certain.

By: Joseph

Joseph — Mon, 09 May 2011 19:58:10 +0000

Callum, we have installed you WP block admin plugin and left it active for a month or so.Afterwards i have tried changing the functionality to redirect users with user role less than 2, after i realized that evein if i had removed you plugin the wp-admin would still redirect to the profile page. WHere do i find the cache for this functionality, why is this funtionality working even after i have uninstalled your plugin and deleted from the plugin directory, have any reccomendations?

By: ddlg2007

ddlg2007 — Tue, 03 May 2011 23:37:06 +0000

Callum I do not know what can tell you, but I am very grateful for what you’ve done. No one worry so much to help a stranger, I am forever grateful. I hope to help someday. Thanks again and good luck.

By: Callum

Callum — Tue, 03 May 2011 14:28:30 +0000

Yes, this is a trivial code change. I've created a custom version for you. You can download the code here. I've pushed the version number in that version to 9 so you shouldn't be prompted to upgrade.

By: ddlg2007

ddlg2007 — Sun, 01 May 2011 14:06:11 +0000

Hi Callum, thanks for this really great plugin (WP Block Admin). I need a little help.
It would be possible not allow access to wp-admin but yes to wp-admin/profile.php? I tried editing the plugin redirecting, but detect wp-admin and all the time spent redirecting. The reason is that I create a profile.php customized with the plugin (Customize Your Community, is like plugin theme my login) and is good to the user be there but not to wp-admin. Can you say something about this?

By: Lee

Lee — Tue, 18 Jan 2011 12:52:26 +0000

Hey Callum,

Perfect plugin, is exactly what I needed, I’m using 3.0.4 and it works fine!

By: Binoy

Binoy — Sat, 18 Dec 2010 06:37:51 +0000

Seems to be working with 3.0.3, I am running one at Q8Living.com. Thanks Callum. It is a good plugin.

By: Callum

Callum — Wed, 15 Dec 2010 12:29:26 +0000

I don’t see why not, but I’m not sure, I haven’t tested it, I don’t use it personally.

By: peninag

peninag — Tue, 14 Dec 2010 14:44:43 +0000

Is this plugin compatible with wordpress Multisite and/or WP 3.0.3? The last update in the plugin repository was at the beginning of 2010.

By: Callum

Callum — Sat, 24 Jul 2010 15:16:06 +0000

As I read your code, only users who are logged in will be redirected, anyone else who tries to access the admin will be sent to the login page. I’m not sure if that’s sensible or not.

The only other change I see in your code is that users who are already logged in, cannot access wp-login.php. That means that they can’t log out because wp-login.php?action=logout is the url to log out.

Thanks for taking the time to share your changes, I really appreciate it. Are you familiar with the diff and patch tools? They’re a great way to share changes like this. At this time I will reject your changes because I don’t see any benefit and I see some downsides. However, maybe I’ve misread your code, so I’m open to better understanding what you intended.

By: Bandonrandon

Bandonrandon — Sat, 24 Jul 2010 03:59:45 +0000

Hey Callum,

I made some changes to your plugin. I noticed that users were still able to visit wp-login.php even without the proper permissions. I made is to they couldn’t visit either wp-admin or wp-login.php which made an endless loop where you couldn’t get to the login page (oops) I went ahead and wrapped the whole thing in the “is_user_logged_in()” tag. Now, logged in users can’t visit wp-login.php or wp-admin you can see my changes here: http://pastebin.com/xq6x26fn

Feel free to take them or leave them.

By: Classroom Technology Thoughts (Twitter Weekly Updates) for 2010-06-07 | blog.classroomteacher.ca

Mon, 07 Jun 2010 06:57:19 +0000

[...] plugin to prevent students from seeing admin backend (based on user role) http://www.callum-macdonald.com/code/wp-block-admin/ # Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on [...]

By: Callum

Callum — Tue, 11 May 2010 16:53:46 +0000

That is possible. It might also be possible to simply rename wp-login.php with one or two clever tricks.

Personally, I wrote this plugin for hire years ago. I don’t use it personally and don’t really support it. I don’t have any desire to write new code or expand functionality. I’ve fixed one or two issues as they arose, made slight improvements to the plugin, but I’m not open to major changes. You may be able to find somebody on RentaCoder.com to add the functionality you’re looking for. That’s where I got my start in professional WordPress stuff, there seemed to be a lot of other developers familiar with WordPress on there.

By: john

john — Tue, 11 May 2010 16:48:31 +0000

I guess you’re right.

But,

maybe the plugin could set up a new page that will handle just the redirection? For example, if the user is not logged in, then we show a special login page on which he can input his data, then after the data is recognized it’s sent to wp-login.php and redirection doesn’t occur. Well, at least that’s something I thought of.

I think that this special login page doesn’t really have to be that complicated. I think we need to find a way to show wp-login.php or /wp-admin/ (if the user is not logged in) only if called from that special page.

What do you think?

By: Callum

Callum — Tue, 11 May 2010 16:41:14 +0000

If you direct non-logged in users from wp-login.php and wp-admin/ then you’ll never be able to login once you are logged out. That would completely break the admin unless you’re using some completely different login method. If you are, I would suggest replacing the contents of wp-login.php with something like . That will redirect all attempts to access wp-login.php to another page. However, you can’t easily redirect everything in wp-admin/ because some files are necessary for the operation of WordPress.

By: john

john — Tue, 11 May 2010 11:19:51 +0000

hey callun

the plugin works great but only if a user is logged in. how can i redirect non-logged in users from accessing wp-admin or wp-login.php?

By: chorng

chorng — Wed, 05 May 2010 22:47:21 +0000

thanks for the plugin ! work like a charm

By: peter ng

peter ng — Wed, 28 Apr 2010 22:50:49 +0000

awesome, new plugin seems to work great even in wordpress 3.0

By: Kimmo

Kimmo — Fri, 09 Apr 2010 06:46:49 +0000

Yes, it seems to be working now! Thank you very much for your efforts!

I’m not familiar with php, so that leaves me a bit clueless in matters such as these. But it’s great there are more knowledgeable people around! Thanks!

By: Clayton Narcis

Clayton Narcis — Fri, 09 Apr 2010 04:32:49 +0000

No worries. Thanks!

By: Callum

Callum — Fri, 09 Apr 2010 03:26:44 +0000

Great, thanks for the confirmation. I think that’s because of a bug I introduced in 0.2.1. I’ve just pushed out version 0.2.2, the code is in SVN, it should hit wordpress.org shortly. I recommend immediate upgrade from 0.2.1 because of the bug. The issue was because I replaced quotes with backticks which produced an error about dividing by zero on some servers.

By: Clayton Narcis

Clayton Narcis — Fri, 09 Apr 2010 03:11:52 +0000

Yup, it works.

As for the mention problem edit.php, after flushing the cookie and browser cache, it was working already

Btw,
whenever i open your file, something happens to the encoding, nothing big. Here’s a sample

if (strpos(strtolower($_SERVER['REQUEST_URI']),‚Äô/wp-admin/‚Äô) !== false

Note the ‚Äô

By: Callum

Callum — Thu, 08 Apr 2010 22:32:20 +0000

Apologies, I didn’t actually make that fix before I sent you the file. I’m sending a new version now, hopefully this one works. I just tested on my server and it has cleared up the error for me.

By: Kimmo

Kimmo — Thu, 08 Apr 2010 19:53:57 +0000

Hi Callum! Sry, but it didn’t help. I get the same error:

Warning: Division by zero in /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php on line 52

By: Callum

Callum — Thu, 08 Apr 2010 19:41:53 +0000

I’m sending you a slightly modified version now. Hopefully it allows requests to admin-ajax.php. Can you test and report back?

If the user logs in and tries to access an admin url directly, the plugin should redirect them. Are you seeing a problem with this?

By: Callum

Callum — Thu, 08 Apr 2010 19:39:21 +0000

Apologies for the error. I’m sending you a slightly modified version of the plugin now. I think the quotes are wrong on line 52. If you can test and report back, I’ll push out the update as soon as possible.

By: Kimmo

Kimmo — Wed, 07 Apr 2010 13:24:15 +0000

I started using WP Block Admin only yesterday. Today I was prompted to upgrade to version 0.2.1 I did, but this creates havoc on my blog.

I get the following messages on the admin area and the site:

Warning: Division by zero in /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php on line 52

Warning: Cannot modify header information – headers already sent by (output started at /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php:52) in /var/www/fs2/24/gradutak/public_html/wp-includes/pluggable.php on line 868

Is there anything that could be done?

By: Clayton Narcis

Clayton Narcis — Wed, 07 Apr 2010 10:48:51 +0000

This breaks any ajax calls to admin-ajax.php. Any workaround?

And if the user logins in, they will still be able to access by placing the entire url such as myblog.com/wp-admin/edit.php

By: Callum

Callum — Tue, 06 Apr 2010 21:07:35 +0000

Awesome, thanks for the fix Sam. I’ve committed it, I’ll notify Peter and see if it fixes his issue.

By: Sam hermans

Sam hermans — Sun, 04 Apr 2010 22:43:01 +0000

Okay, Here goes:
Line 51:
————
// Is this the admin interface? / ignore upload requests
if (strpos(strtolower($_SERVER['REQUEST_URI']),’/wp-admin/’) !== false && strpos(strtolower($_SERVER['REQUEST_URI']),’async-upload.php’) == false) {
————

Strpos may not be the way to go here, but i’m going with the flow …

Sam Hermans
Http://www.greeenfudge.org

By: Sam hermans

Sam hermans — Sun, 04 Apr 2010 22:36:07 +0000

I’m having the same issue with the image uploader, looking into it as we speak and i will hopefully be able to provide a solution soon

By: Callum

Callum — Sun, 01 Nov 2009 23:07:21 +0000

I don’t think I’ve ever replied to your question, apologies.

If you’re still having the issue, you can edit line 18. It’s clearly marked in the code.

By: Callum

Callum — Sun, 01 Nov 2009 23:05:38 +0000

I’m not sure what causes the issues with the image uploader. I wrote this plugin for somebody else and haven’t used or tested it since. If you’re able to find the problem and would like to submit a patch, please do. If you’d like to take over the maintenance of the code give me a holler.

By: Peter Ng

Peter Ng — Sun, 01 Nov 2009 11:08:38 +0000

Hrmm i’m on 2.9 and still having the same 2.8 issues with the http error upon uploading an image. Substituting is_admin does not fix this problem. Something to do with the wp_redirect?

By: Dusty

Dusty — Tue, 13 Oct 2009 14:04:08 +0000

THANK YOU!

I was searching for hours for a plugin like this one!

I was just looking for the wrong thing, but thanks, now I have it, it works like a charm!

By: Callum

Callum — Mon, 17 Aug 2009 17:42:53 +0000

You want to redirect subscribers but nobody else. Is that correct?

You can edit line 18 of the plugin. Choose a new capability. Looking at this list, contributors have “edit_posts” and “delete_posts” capabilities while subscribers don’t. I’d guess either of those would work, if I’ve understood what you want correctly. Please share your solution back here for others.

By: Kate

Kate — Mon, 17 Aug 2009 04:07:01 +0000

Hey there,
Great plugin!
I am a bit of a newbie, so don’t want to play around too much in case i break something (i have the horrible wordpress version 2.8 and it’s very tempremental, so much so in fact it won’t let me upgrade!!)
Anyway, back to the point. Can you please let me know what code I need to put in and where to make this only redirect subscribers? Sorry I have done a bit of googling to try and find the answer to this but there doesn’t seem to be one.
thanks again!

By: Anthony

Anthony — Wed, 08 Jul 2009 20:31:16 +0000

Ok, So I switch the commented lines and then what would be a code I would use to add in each capability to block?

By: Callum

Callum — Wed, 08 Jul 2009 20:28:18 +0000

You can use the plugin as a starting point then modify it to your own requirements.

By: Anthony

Anthony — Wed, 08 Jul 2009 20:17:53 +0000

Hi, is there any way I can use this for WPMU but not completely block my users? I saw your first suggestion but I do not have buddypress so I do need to give my users some access for the standard menus and for some menus that my addons created. Im not sure how the first poster had blogs defaulted to author users but my users are Admins.

By: andy

andy — Fri, 12 Jun 2009 19:47:53 +0000

No – still no luck. Can’t really see why though unless the WP guys have screwed up the capabilities check for image uploading….

By: Callum

Callum — Fri, 12 Jun 2009 17:46:16 +0000

@andy: Try changing line 51 from: if (strpos(strtolower($_SERVER['REQUEST_URI']),'/wp-admin/') !== false) { to: if (is_admin()) { Does that resolve the issues with 2.8? I don't use the plugin personally so I don't test it. Are you interested in taking over the maintenance of the code? If that change works for you (it worked for somebody else recently), I'll make the change and push out a new version.

By: andy

andy — Fri, 12 Jun 2009 10:43:54 +0000

I admit that I have not had a chance yet to look at the code yet (busy morning) but we have been recommending this plugin to users of our forum plugin and with our latest release added the technique as an option. Are you aware that (at least using WP2.8) it disables the use of the flash uploader?

By: Caciano

Caciano — Thu, 04 Jun 2009 16:05:49 +0000

Thanks Callum, now it works perfectly!

By: Callum

Callum — Wed, 03 Jun 2009 19:45:43 +0000

@Caciano: Aha. It sounds like that form is in /wp-admin/ even though it is used on the front end. Interesting. Try changing line 51, which is currently: if (strpos(strtolower($_SERVER['REQUEST_URI']),'/wp-admin/') !== false) { to this: if (is_admin()) { If that works for you, I'll probably change the plugin to use that method.

By: Caciano

Caciano — Wed, 03 Jun 2009 14:55:38 +0000

Hi Callum,

Greeeeat plugin,

But I have some issues with the upload page, every time I send a file the frame with the forms (Legend, Title, Description etc) the iframe redirect to the home. I using de WP 2.7.1 …

The upload works nice, just this redirect is a little inconvenience…

Any idea why this happens?

Thanks!

By: Malcolm

Malcolm — Mon, 11 May 2009 22:42:00 +0000

You can login to the site (http://ca-bankruptcylaw.com) if you want with the following ID and password if you want to see it in action:

ID: eastmont1 PW: 123

By: Malcolm

Malcolm — Mon, 11 May 2009 22:39:58 +0000

It’s working perfectly now. But here’s the code if you want to take a look:

< ?php global $wpba_required_capability;
if (current_user_can($wpba_required_capability))
wp_register();
?>

By: Callum

Callum — Mon, 11 May 2009 21:53:05 +0000

Malcolm: I'm surprised you need to setup $wpba_required_capability. Are you calling it within a function maybe? You could try making it global, that might do the trick. I'd guess that all the plugins are loaded (and so $wpba_required_capability is setup) before the theme loop starts, but I might be wrong.

By: Malcolm

Malcolm — Mon, 11 May 2009 21:44:55 +0000

Yep, that worked after I realized I needed to add the setup for $wpba_required_capability Now the Site Admin link doesn’t appear unless it’s functional.

Thanks for the help and for the great plugin!

By: Malcolm

Malcolm — Mon, 11 May 2009 21:09:10 +0000

Thanks! I’ll give that a try and report back.

By: Callum

Callum — Mon, 11 May 2009 21:02:00 +0000

@Malcolm: You could use the same test as in the plugin itself. if (!current_user_can($wpba_required_capability))

By: Malcolm

Malcolm — Sun, 10 May 2009 03:41:22 +0000

Thanks. If I’d get rid of that link n the theme, I’d want to condition that getting-rid-of on your plugin having deactivated the link (or redirecting it, whatever you do). Can you think of a test I could make?