• Hi there,

    Is it possible to restrict access (denied) for Visitors to pages like:

    /wp-admin/upgrade.php
    /wp-admin/maint/repair.php

    A client had penetration testing done on the site and they want these back-end pages restricted. I tried adding the rule but it didn’t work, so just wondering if this only works on front-end URLs?

    Thanks,
    Michelle

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Author AAM Plugin

    (@vasyltech)

    @michelledodd thank you for your question.

    First of all, any URL that start with /wp-admin/ cannot be accessed by unauthenticated user. Yes, they can enter URL in browser like https://mywebsite.com/wp-admin/upgrade.php, but that has no harm to your website.

    However, if you’d like to restrict these endpoints or redirect visitors elsewhere, you can actually do this BUT with some additional steps. The challenge with endpoints like /wp-admin/upgrade.php or /wp-admin/maint/repair.php is that when they are triggered, WordPress core does not load any plugins or themes. It skips this step because the above endpoint declare a global constant “WP_INSTALLING” which signals to WordPress core to load only its own core and nothing else.

    The exception is only for the Must-Use Plugins. So, if you really want to protect the above endpoints, follow these additional steps:

    • Create a new folder mu-plugins in /wp-content/ and then create a new file advanced-access-manager.php.
    • Inside this file enter the following code:
    <?php

    /**
    * Copyright (C) Vasyl Martyniuk <[email protected]>
    *
    * This program is free software: you can redistribute it and/or modify
    * it under the terms of the GNU General Public License as published by
    * the Free Software Foundation, either version 3 of the License, or
    * (at your option) any later version.
    *
    * This program is distributed in the hope that it will be useful,
    * but WITHOUT ANY WARRANTY; without even the implied warranty of
    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    * GNU General Public License for more details.
    *
    * You should have received a copy of the GNU General Public License
    * along with this program. If not, see <https://www.gnu.org/licenses/>.
    */

    if (defined('ABSPATH')) {
    require_once WP_PLUGIN_DIR . '/advanced-access-manager/aam.php';
    }

    From this point on, any access rules that you define with URL Access service will be enforced.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.