Hi!
When I password protect my wp-admin folder with auth (all allowed for wp-admin ajax) I run into trouble.
What happens: What happens is that a forum that is shown for everybody (guests) is working but when the users try to enter a forum that's only visible for certain user roles they a required to enter the directory password even though they have access to the forum part with the user role they have.
What I expect: Everyone, no one, no matter which user roles they have and which part of the forum they are visiting, should be requested to enter the directory password for wp-admin.
How do I solve this as this is an important part of the Wordpress security?
With best regards,
bb
"this is an important part of the Wordpress security". Of cource Not. Password protecting anything, doesn't offer any security. It only complicates things. Same with "security by obscurity", hiding things like login and register etc etc.
There are plently of security plugins that protect your Wordpress that work seemlessly with all plugins.
@massimod, please consider being more humble in your responses.
I didn't ask about your opinion on my security. I asked what to do when using folder password on wp-admin with wpforo.
With best regards,
bb
@massimod, please consider being more humble in your responses.
I didn't ask about your opinion on my security. I asked what to do when using folder password on wp-admin with wpforo.
No problem. Good luck.
Hi @bba01,
Thank you for contacting us.
To tell the truth, this is the first time I've faced with such a question. wpForo doesn't have relation to the WordPress protection system. wpForo uses the WordPress native ajax requests system, which uses /wp-admin/admin-ajax.php file
Please check out the following article by WordPress team. Here you'll find information on how to make your WordPress login system more protected without breaking ajax functionality.
This is a quote from the article, which explains why it's not recommended password protecting wp-admin:
Password protecting your wp-login.php file (and wp-admin folder) can add an extra layer to your server. Because password protecting wp-admin can break any plugin that uses ajax on the front end, it’s usually sufficient to just protect wp-login.php.
The whole article can be found here:
https://wordpress.org/support/article/brute-force-attacks/#password-protect-wp-login-php
In this support topic, you'll find a solution on how to password protect all /wp-admin/ folder and at the same time exclude /wp-admin/admin-ajax.php file.
https://wordpress.org/support/topic/how-safe-is-to-allow-access-to-admin-ajax-php/
The solutions are not checked by our team, but we hope it'll be helpful for you. If those solutions don't satisfy you, please contact the WordPress support team to get more correct solutions to solve this issue.
Hi @sofy and thanks for answering!
In my setup I've already allowed admin-ajax.php to be accessed by anyone but I still have the same problem. Are you sure wpforo doesn't use anything else from wp-admin when accessing a forum that only allows a certain forum user role?
One fix is of course to only protect the wp-login.php with an extra layer of security using auth but somehow it feels better to have the whole directory password protected...
With best regards,
bb