Title: Headless Login Guard Author: Andrew Wilkinson Published: 2026(e)ko maiatzaren 18(a) Last modified: 2026(e)ko maiatzaren 18(a) --- Bilatu pluginak ![](https://ps.w.org/headless-login-guard/assets/banner-772x250.png?rev=3536308) ![](https://ps.w.org/headless-login-guard/assets/icon-256x256.png?rev=3536307) # Headless Login Guard [Andrew Wilkinson](https://profiles.wordpress.org/andrew40/)-(r)en eskutik [Deskargatu](https://downloads.wordpress.org/plugin/headless-login-guard.1.0.1.zip) * [Xehetasunak](https://eu.wordpress.org/plugins/headless-login-guard/#description) * [Berrikuspenak](https://eu.wordpress.org/plugins/headless-login-guard/#reviews) * [Instalazioa](https://eu.wordpress.org/plugins/headless-login-guard/#installation) * [Garapena](https://eu.wordpress.org/plugins/headless-login-guard/#developers) [Laguntza](https://wordpress.org/support/plugin/headless-login-guard/) ## Deskripzioa A lightweight plugin that **forces login for backend access** in a headless WordPress setup. Keeps your WordPress dashboard private while allowing your front end (e.g. Astro, Next.js) to pull content via GraphQL/REST. #### What it does * Requires authentication for `/wp-admin/` and other backend pages * Always allows the login page to avoid redirect loops * Leaves key endpoints open for headless use: - `/wp-json/` (REST API) - `/graphql` (WPGraphQL) - `/wp-admin/admin-ajax.php` (AJAX) - `/wp-cron.php` (cron) - `/robots.txt` - `/sitemap*.xml` (sitemaps and indexes) - `/wp-content/uploads/*` (media) - `/favicon.ico` - `/newrelic` (New Relic monitoring) * Logged-in users visiting the backend root get redirected to the dashboard * Works with Bedrock layouts (handles root path vs `/wp/`) #### Use case * WordPress is the content backend * Public site is built with Astro/Next.js/etc * Editors log in to WordPress. Visitors never see the backend * Front end builds and live pages can still query GraphQL/REST without authentication #### Customization Developers can customize allowed endpoints using the `force_login_allowed_patterns` filter: ``` add_filter('force_login_allowed_patterns', function($patterns) { $patterns[] = '#^/healthz$#'; // custom health check $patterns[] = '#^/status$#'; // uptime checks $patterns[] = '#^/wp-json/acf/v3/.*#'; // specific REST namespace return $patterns; }); ``` ## Instalazioa 1. Upload the plugin files to the `/wp-content/plugins/force-login` directory, or install the plugin through the WordPress plugins screen directly. 2. Activate the plugin through the ‘Plugins’ screen in WordPress. 3. The plugin will automatically start protecting your backend – no configuration needed! ## MEG ### I’m locked out! How do I access my site? Visit `/wp-login.php` directly to sign in. The plugin always allows access to the login page. ### My front-end requests are failing. What should I do? Verify the endpoint is on the allow list. Check the plugin description for the default allowed patterns, or use the `force_login_allowed_patterns` filter to add custom endpoints. ### Does this work with Bedrock? Yes! The plugin correctly handles both standard WordPress installs and Bedrock layouts where the site URL and home URL may differ. ### Can I add custom endpoints? Yes, use the `force_login_allowed_patterns` filter to add your own regex patterns for additional endpoints that should remain public. ## Berrikuspenak Ez dago berrikuspenik plugin honentzat. ## Laguntzaileak eta Garatzaileak “Headless Login Guard” software librea da. Ondoko pertsonek egin dizkiote ekarpenak plugin honi. Laguntzaileak * [ Andrew Wilkinson ](https://profiles.wordpress.org/andrew40/) [Itzul zaitez Headless Login Guard zure hizkuntzara.](https://translate.wordpress.org/projects/wp-plugins/headless-login-guard) ### Garapena interesatzen zaizu? [Araka kodea](https://plugins.trac.wordpress.org/browser/headless-login-guard/), begiratu [SVN biltegia](https://plugins.svn.wordpress.org/headless-login-guard/) edo harpidetu [garapen erregistrora](https://plugins.trac.wordpress.org/log/headless-login-guard/) [RSS](https://plugins.trac.wordpress.org/log/headless-login-guard/?limit=100&mode=stop_on_copy&format=rss) bidez. ## Aldaketen loga #### 1.0.1 * Added: New Relic monitoring endpoint allowlist pattern (`/newrelic`) to support APM monitoring * Added: WordPress.org plugin directory compatibility * Added: Proper plugin structure with activation/deactivation hooks * Added: Filter hook for customizing allowed patterns * Improved: Code organization and documentation #### 1.0.0 * Initial release * Restricts backend (`/wp-admin/`) to authenticated users * Allows GraphQL and REST API endpoints for headless front-ends * Basic whitelist of essential endpoints (cron, ajax, robots.txt, sitemaps, uploads) ## Meta * Version **1.0.1** * Azken eguneraketa **duela hilabete 1** * Instalazio aktiboak **10 baino gutxiago** * WordPress bertsioa ** 6.0 edo handiagoa ** * **6.9.4** (e)raino probatuta. * PHP bertsioa ** 8.1 edo handiagoa ** * Language * [English (US)](https://wordpress.org/plugins/headless-login-guard/) * Etiketak * [GraphQL](https://eu.wordpress.org/plugins/tags/graphql/)[headless](https://eu.wordpress.org/plugins/tags/headless/) [login](https://eu.wordpress.org/plugins/tags/login/)[rest-api](https://eu.wordpress.org/plugins/tags/rest-api/) [security](https://eu.wordpress.org/plugins/tags/security/) * [Ikuspegi aurreratua](https://eu.wordpress.org/plugins/headless-login-guard/advanced/) ## Balorazioak No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/headless-login-guard/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/headless-login-guard/reviews/) ## Laguntzaileak * [ Andrew Wilkinson ](https://profiles.wordpress.org/andrew40/) ## Laguntza Zerbait duzu esateko? Laguntza behar? [Ikusi laguntza foroa](https://wordpress.org/support/plugin/headless-login-guard/)