Viewing 4 replies - 1 through 4 (of 4 total)
  • Anything in the admin area, like the URL that you’ve given there, won’t allow access unless a user is logged in. As the search engine bots can’t be logged in, they won’t ever get access to that page.

    Thread Starter chcw

    (@chcw)

    Hi, @catacaustic

    But based on my test, an anonymous user can access the URL like https://www.sample.com/blogs/wp-admin/admin-post.php?action=myplugin&nocache=123 without any problem, the script will run properly and produce the correct results.

    If that is true you should add that as a bug in the WordPress Trac system – https://core.trac.www.ads-software.com/

    Moderator bcworkz

    (@bcworkz)

    Callbacks related to actions fired from admin-post.php are responsible for managing appropriate access. The only thing WP does is distinguish between logged in or not logged in by how you use the “nopriv” part of the action hook. If you use the "admin_post_nopriv_{$action}" hook, non-logged in users can access your callback code. If you only use the "admin_post_{$action}" hook, only logged in users can access your code. Your code is still responsible for ensuring the user has proper role capability and ensuring the request is valid by verifying a nonce value.

    admin-post.php essentially does:
    if ( is_user_logged_in() ) do_action( "admin_post_{$action}" );
    thus unless you use the “nopriv” action hook variant, it’s impossible for a non-logged in user to access your callback. If it is happening despite this, you’ve likely integrated your code into admin-post.php improperly.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Prevent Seach Engine Bot from accessing my plugin’ is closed to new replies.