Here is summary of the problem and required solution: Access to mywebsite.com/wp-admin is blocked for subscribers [which is good] However, if i enter the link manually on the browser as follows: https://mywebsite.com/wp-admin/user-edit.php?user_id=113 then the user has access to his user settings Problem with that is that they can then create an API key (through application passwords plugin which is accessible from that page). This is undesirable as I dont want the users to have API keys where they can fetch/post …

apperently it seems the wordpress rest-api cannot work with restricted authorizations. when i change the default Allow All Users / this: to a restricting ad group and remove the All Users (obviously): which creates this web.config: <system.webServer> <security> <authorization> <remove users="*" roles="" verbs="" /> <add accessType="Allow" roles="DOMAIN\Test-Group" /> </authorization> </security> </system.webServer> all seems fine at first glance, but if we go to WP Site Health it reveals this errors: so it seems the wp REST-Api cannot operate without anonymous / …

I have a site that I've inherited and my user base is requesting a feature. The page is primarily informational about a non-profit (calendar of events, contact form, etc.) but they'd like to add a page plus some posts that contain information which only a small group of people have access. This area of the site contains sensitive information (personally identifying but nothing about payments etc.). It's more along the lines of monthly meeting notes from the board of directors. …

I am implementing the REST API with fetch() promises as requests on a Password protected page with a custom table without using a plugin (only using the WP REST API that has been merged into WordPress core - thumbs up WordPress team, that was a smart move, thank you). All worked fine, except I couldn't make the Authorization work in the header of the HTTP request (always passed, even with no JWT or false token, see last step 6.) at …

If user is logged in to site/subsite, and you check this function: require(__DIR__."/wp-load.php"); var_dump(is_user_logged_in()); it returns true. However, if called from outside folder: require(__DIR__."/subfolder/wp-load.php"); var_dump(is_user_logged_in()); It doesn't recognize authorization. What are the acceptable ways to achieve that, without using REST-API? (I doubt it just needs pointing some sub-directory for cookie).

How can I add authentication for rest_do_request()? I am trying to add Authentication for a WP_REST_Request object using rest_do_request(). This used within a shortcode that is going to be available for both logged in and non logged in users. I'm thinking that the best way would be to use Basic Authorization. In an example I've setup, I've added the following line commented with "Basic Authorization Attempt" which does not appear to have any effect. If it's not possible to add …

I have a Java Web App which contains users. On the other side, I have a wordpress installation. I have a requirement that users from my java app should be also avaible in wordpress (in other words: I need to authorize in Wordpress users with credentials from my Java App). Since I'm Java developer and have only very basic knowledge of Wordpress I was looking for some appropriate plugin. I did some research and found 2 things: I have found …

I have created an user via wordpress api, then after registration, I save user's username and password into the sessionStorage, and then, finaly, try to edit user's profile. Here's my post request data POST /wp-json/wp/v2/users?context=edit HTTP/1.1 Host: something.com Connection: keep-alive Content-Length: 292 Accept: application/json, text/plain, */* Origin: http://localhost:8100 Authorization: Bearer ******************************************************************************************************** User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Content-Type: application/json;charset=UTF-8 Referer: http://localhost:8100/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 POST Body "postData": { "mimeType": "application/json;charset=UTF-8", …

I inherited this wordpress website called RxStudyGuides to use as a study tool for pharmacy students. However, the owner and creator of the website still has there contact information on the website at the bottom of the page and I can't seem to find how to edit that information. It only seems that I can edit the actual content of the website. The creator made me an editor and maybe since I am not the owner of the site I …

I've a made a plugin which generates a login form, by using a shortcode. The login works, however, inside the dashboard I've noticed that the forms submits don't work properly. For example, the profile update doesn't work, namely, when the Save button is pressed, the page is reloaded, but the changes are not stored into the database. Here is the code: function login_validation( $username, $password ) { global $reg_errors; $reg_errors = new WP_Error; if ( empty( $username ) && !empty( …

I'm curious to know how ifttt.com authenticate a supplied WordPress admin login credentials. And after authorization is granted, how does it publish post on our behalf? am curious to know what communication protocol it is using.

I have 2 websites http://www.aaa.com and http://www.bbb.com and need them to show the same. Now I put an iframe in index.html and upload to aaa.com. It's ok for frontend but it's doesn't work for backend, where it shows a blank page. Can anyone suggest me how I can solve this problem ?

WordPress utilizes cookies for better security, and I've been trying to understand how exactly this could make a WordPress website more secure, and I found this article . There's a pretty decent explanation, but it concerns the 3.9 version, so it's a little bit outdated. I compared the sources of the current WordPress code and from the examples in the article, and there's one thing I can't understand. The cookie looked like this: Set-Cookie: wordpress_urlhash=user|timestamp|hash In that article, the guy …

I would like the posts to be displayed on archive page of custom post - gallery based on author_id i.e. the author_id is passed as permalink variable. The posts displayed on archive page would be only those posts published by author whose author_id is passed. My custom post gallery archive page has the url http://localhost/?post_type=gallery where all the posts posted in the post_type - gallery are listed. function my_custom_gallery() { $gallery_labels = array( 'name' => _x('Gallery', 'post type general name'), …

When I use Android in business I have some secret data on my phone. So if I lose my phone this can easily be stolen. Is there any way I can secure my phone? E.g. adding password for unlocking it. Any recommendations? apps? or best-practice?

I have a few pages of custom posts that I would like to password protect via the following business rules: I can create a number of passwords to access the page An expiration date can be set for each password Logged in admins are automatically authenticated/authorized to see the page Display different content depending if the user viewing the page is authenticate/authorized (e.g. if not logged in, display the page with modified content + password field; if logged in, display …

I have to send the success response to ajax if user filled the form fields successfully or not on the client side and redirect to the other page which finalize his authorization at the same time on the server side. Is it possible to implement somehow? What alternatives do I have?

What I want to achieve is: For every request , if the user is not logged he / she will be redirected to the log in page. If the user is logged in then he / she can access the site. class Auth{ protected static $instance = null; public function checkAuth(){ auth_redirect(); } public static function getInstance() { if (null == self::$instance) { self::$instance = new self; } return self::$instance; } } Having this draft class what is the best …

Is there a way to protect all RSS feeds from my WPMU install without blocking access to the individual posts or pages? Essentially I want anyone to have access to individual pages, but the aggregate list should require an auth code. Anyone have advice or a direction to point me in?

Referring to the docs got add_meta_box, // Check permissions if ( 'page' == $_POST['post_type'] ) { if ( !current_user_can( 'edit_page', $post_id ) ) return; } else { if ( !current_user_can( 'edit_post', $post_id ) ) return; } } If I want to authenticate a user for editing a custom post type "portfolio", do I do something like if ($_POST['post_type'] != 'portfolio' || !current_user_can_for_blog($post_id, 'edit_post')) return;