@michelledodd thank you for your question.
First of all, any URL that start with /wp-admin/ cannot be accessed by unauthenticated user. Yes, they can enter URL in browser like https://mywebsite.com/wp-admin/upgrade.php, but that has no harm to your website.
However, if you’d like to restrict these endpoints or redirect visitors elsewhere, you can actually do this BUT with some additional steps. The challenge with endpoints like /wp-admin/upgrade.php or /wp-admin/maint/repair.php is that when they are triggered, WordPress core does not load any plugins or themes. It skips this step because the above endpoint declare a global constant “WP_INSTALLING” which signals to WordPress core to load only its own core and nothing else.
The exception is only for the Must-Use Plugins. So, if you really want to protect the above endpoints, follow these additional steps:
- Create a new folder
mu-plugins in /wp-content/ and then create a new file advanced-access-manager.php.
- Inside this file enter the following code:
<?php
/**
* Copyright (C) Vasyl Martyniuk <[email protected]>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
if (defined('ABSPATH')) {
require_once WP_PLUGIN_DIR . '/advanced-access-manager/aam.php';
}
From this point on, any access rules that you define with URL Access service will be enforced.
