Using htaccess in wp-admin – Slideshow calls for wp-admin and denied

Hi nir_r, I am trying to understand your question.

Are you saying that people who’s IP address is restricted are getting blocked from your website?

Hi,

No…they are not blocked from my website (www.mydomain.com).
They cannot access the admin area (www.mydomain.com/wp-admin is restricted).
This is a common security practice for WordPress.

Okay thank you for the extra information. So what is the problem with Slideshow plugin?

The plugin requests the URL that I wrote (https://www.mydomain.com/wp-admin/admin-ajax.php?action=slideshow_jquery_image_gallery_load_stylesheet&style=style-light&ver=2.2.21) and the server response with a 404 error…

Thank you for that, now I know what you mean. How have you added the slideshow? Did you link one of the images to the login page? Why does it call (www.mydomain.com/wp-admin) or how does it call it?

Regards

I have added the slideshow to one of the site sidebars using the slideshow widget.
I didn’t link anything to the admin. I followed the basic steps and created a simple images slideshow.
The URL (www.mydomain.com/wp-admin) is just an example to show you that the htaccess in the wp-admin folder means that restricted users are not allowed to navigate to this address…

In other words, the plugin writes in the page HTML a call to a URL that is in the admin area of the site and this is wrong…

Hi, okay I understand what you mean.

I also have this plugin running in commercial website with other security plugin installed. I don’t have a black listed IP address set up on this website but I do have secret login URL which means no one knows except the people you allow to know. This does not cause any problems with this plugin.

I don’t know how the plugin calls the /wp-admin/ login page. Can you show me exactly the code it is writing to call the /wp-admin/ page?

Thank you

There are several calls that the plugin generates from within the HTML page.
This is wrong – there shouldn’t be any requests to the ../wp-admin URL.

If you want, you can load any page where you have an active slideshow, right click and select “View Source” and search for the word “admin”.
You will see links created by the plugin…
For example:
<link rel=’stylesheet’ id=’slideshow-jquery-image-gallery-ajax-stylesheet_style-light-css’ href=’https://www.mydomain.com/wp-admin/admin-ajax.php?action=slideshow_jquery_image_gallery_load_stylesheet&style=style-light&ver=2.2.21&#8242; type=’text/css’ media=’all’ />

Can you please fix this bug ?

Thanks

Hi I just carried out a test. I added a new slideshow to a blog post. I viewed the source code and I don’t see any /wp-admin/ link any where.

Can you check your settings?

Thank you

I didn’t change the default settings and I rechecked the settings (General settings).
I have the option to select light or dark style sheet or customize the style sheet.
I have three slideshows in a sidebar in my homepage.
Any configuration that I need to do in order to prevent this call to the style sheet from the admin ?

Hi,

If you don’t see any wp-admin in your test, is it possible that your admin has a different URL (since you told me that you are using security plugins that changes wp-admin to something else) ?

I opened the files of the slideshow plugin and I saw that it adds the location of the admin-ajax.php file to the HTML.
It can be found in SlideShowPlugin.php file (at the end of the file – admin_url()).
I also checked the SlideshowPluginSlideshowStylesheet.php and saw that the plugin loads the style with the admin URL (check line 112 to 117 for example).

I also checked a different website that I have just one slideshow on a page and saw the same issue.

Please advice…

Try the following, deactivate all your plugins except this one. Then check to see what is added to the source code. Also make sure you delete your cache.

Also if the above does not make any difference test one of WordPress default themes like Twenty Fourteen.

Let me know how you go.

Hi,

I did the following:
On my local machine, using DesktopServer, I installed a new WP V4 test site.
I selected Hebrew as the language of the installation (first installation screen).
Uploaded the slideshow plugin and activated it – it is the only plugin.
Didn’t change the plugin settings.
Didn’t change the default WP theme.
Went and created a new slideshow.
Uploaded 7 images to use in this slideshow.
Went to Widgets and added the slideshow widget to the primary sidebar.
Navigated to the site.
Right click and “View source” – Checked the HTML code and found the problematic call:

<link rel=’stylesheet’ id=’slideshow-jquery-image-gallery-ajax-stylesheet_style-light-css’ href=’https://www.slideshow.dev/wp-admin/admin-ajax.php?action=slideshow_jquery_image_gallery_load_stylesheet&style=style-light&ver=2.2.21&#8242; type=’text/css’ media=’all’ />

I also tried to change the site language to the default English US and checked again but got the same result.

Let me know if I can do more to help you with this issue.

Thanks

Thank you nir_r that is great information.

Now try and add a shortcode to the sidebar text widget or a widget that accepts shorcodes without using the slideshow widget.

Also add a shortcode to a blog post or page in your local machine and view the source code. I think what is happening is that the plugin’s widget is probably adding the admin login part.

Let me know how you go.

Regards

Hi,

Reviewing the code I can tell you that the widget is not the source of this issue.
Both the shortcode and the widget call to the SlideshowPlugin::prepare method.

Could you please take care of fixing this security issue ?

Thanks