Custom WordPress coding help

I am using a MU Plugin to restrict non admins from the wp-admin area. I got this code from a WPMU DEV staff nearly an year ago. Here is the code:

--------------------------------------------------
if ( strpos( $requested_uri, '/wp-admin') !== false && !is_user_logged_in() ) {

do_action('debugger_var_dump', 'REDIRECT', 'REDIRECT', 0, 0);
// The redirect codebase
status_header( 404 );
nocache_headers();
include( get_query_template( '404' ) );
die();
}
--------------------------------------------------
The problem is, this code is not allowing non-admin users to access admin-ajax.php . As a result, my Wordfence scan is failing.

In chat, I was given the following code:

--------------------------------------------------
add_action( 'admin_init', 'redirect_non_admin_users' );
function redirect_non_admin_users() {
if ( ! current_user_can( 'manage_options' ) && '/wp-admin/admin-ajax.php' != $_SERVER['PHP_SELF'] ) {
wp_redirect( home_url() );
exit;
}
}
--------------------------------------------------
But this doesn't help either.

So can you please write me a code which will restrict the non-admins to access wp-admin, but will allow plugins to access admin ajax?

  • Nahid

    Hey @Wheel+of Commerce !
    Hope you are having a great day!

    Could you try putting the following code in your mentioned mu-plugin and see if that makes a difference?

    add_action( 'init', 'blockusers_init' );
    function blockusers_init() {
        if ( is_admin() && ! current_user_can( 'administrator' ) &&
           ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
            wp_redirect( home_url() );
            exit;
        }
    }

    Hope this helps. Let us know if this works for you. Thanks!

    Kind regards,
    Nahid

  • Wheel of Commerce

    Hi, Nahid!

    I apologize for taking so long to reply. I've been pretty busy for the past week and I'm coming back to this issue only now. I've added the code you gave me, now I'll have to wait to see if the next daily automatic Wordfence scan will run.

    There's another issue that according to Wordfence support is related to the fact that I've customized the way users log into my site: 2 step authentication isn't working. As WPMU support access doesn't work on my site (again, due to customizations) and you'll definitely need to login to look into this, I've sent you an email containing the credentials through WPMU's contact form, with "Attn.: Nahid" at the subject line.

    Thank you very much.

  • Nahid

    Hey Wheel of Commerce !
    Hope you are having a great day!

    Thank you for sending out the credentials. I took a look into your site and was able to see the issue. Reading through the documentation for Two Factor Authentication in WordFence, it doesn't seem like the feature supports usage in a custom login form. I can see the login functionality in your site is using a complete custom login form, which doesn't even use wp-login.php as the form action.

    In this scenario, what I'd recommend you to do is, getting in touch with WordFence support in order to check how WordFence's Two Factor Authentication can be integrated to the login form that you're using in your site. If that's not possible, recommendations can be requested from their end regarding what other custom login plugins can be used which works with WordFence's Two Factor Authentication.

    Hope this helps. Let us know if you need any further assistance regarding this. Thanks!

    Kind regards,
    Nahid

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.