kevinvess / wp-force-login Goto Github PK

Hello, I'm a developer. I just downloaded and activated this plugin and the site continued to be publicly visible, nothing changed. Please advise how to enable this and confirm it's working.

• sorry

Wordpress version: 5.5.1

When I click "Lost your password?", the URL has changed to "http://totallifechanges.nz/wp-login.php?redirect_to=http%3A%2F%2Ftotallifechanges.nz%2Fmy-account-2%2Flost-password%2F". But it is still redirecting to the login page.

https://github.com/wp-api/node-wpapi access the rest api but I can't get it to work when force login is active as it redirects to the login page and causes a problem setting the CORS (as there is no CORS headers being sent on the login page)

I can see every page of wordpress without login.

If I have your plugin active, regardless of what url I go to (ex: homepage -> redirects to wp-admin, or straight to wp-admin), my Keyy two-factor authentication plugin and app fails.

When this happens Keyy's error is:
"401 Authorization Error: Please add basic HTTP authentication to site."

I'm not sure how to proceed. Your plugin solves the problem I had with needing the login on the homepage if not logged, but I may have to find another way, as I really enjoy using Keyy. You can find out more about Keyy at getkeyy.com and I'm happy to help in anyway recreate this issue for you.

Thanks! -lmb

Issue

When a logged-in Multisite user tries to access a site they don't belong to, they see an unauthorized error message.

However, non-logged-in visitors are able to see bypassed / allowed pages.

Possible Solution

Add the same bypass filter to allow Multisite users access to the same publicly accessible pages. And/or possibly create a new filter to allow developers to bypass Force Login specifically for Multisite users.

Great plugin! I am using it for an extranet for a client. They would like to force login from any IPs except their work location. I was using https://wordpress.org/plugins/force-login-except-special-ip-range/, but it hasn't been updated in 7 years and seems to have quit working. Any way I can exclude or whitelist IPs in your plugin? Thanks!

LeeAnne

We have a wordpress site that's gated for our company employees, in which we use Force Login before users can see that content. We noticed a few months ago (via the plugin Uptime Robot), that our site will be unreachable every day between the hours of 11pm and 6am (MST). After some testing with our .htaccess and then the disabling of plugins, we've identified that this redirect loop is only happening when we have Force Login activated. Furthermore, Force Login is working just fine outside of the 11-6 window.

Our site is Wordpress v5.5.1. And we're using the most recent version of Force Login (v5.4). We do know that the plugin page tells us: "Warning: This plugin has not been tested with your current version of WordPress."

Are there known issues with this version of Wordpress? And are there any configurations we can add to work around this issue?

Hi. First, thank you for writing this useful plugin!

My situation is: I use the WP REST API. I added an API to log user in. I want non-logged-in users to be able to use this API to log in.

I've read the FAQs and am aware of the way to whitelist certain URLs, but whitelisting APIs seems different.
I'm also aware that you can remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access' );, but I want to keep other APIs to authorized users only. Only the log-in API needs to be whitelisted.

Please guide me. Thank you!

wp-force-login does not work with WordPress Android App (https://play.google.com/store/apps/details?id=org.wordpress.android)

WordPress Android version: 3.9
Android device name: Asus Nexus 7

01 - resetting suggestion table
02 - WPLaunchActivity, activityName: LOGIN, activityId: Login Screen, intent: null
03 - Launch default Activity: PostsActivity
04 - WordPress.onCreate: begin
05 - WordPress.onCreate: 1311 ms, PostsActivity.onCreate
06 - WordPress.onCreate: end, 1311 ms
07 - No accounts configured. Sending user to set up an account
08 - NewAccountAbstractOage.onCreate()
09 - trackLastActivity, activityId: Login Screen
10 - unresolved: › (position:TEXT @10:25 in java.io.StringReader@c79551b)
11 - StackTrace: org.xmlpull.v1.XmlPullParserException: unresolved: › (position:TEXT @10:25 in java.io.StringReader@c79551b)
at org.kxml2.io.KXmlParser.checkRelaxed(KXmlParser.java:305)
at org.kxml2.io.KXmlParser.readEntity(KXmlParser.java:1284)
at org.kxml2.io.KXmlParser.readValue(KXmlParser.java:1401)
at org.kxml2.io.KXmlParser.next(KXmlParser.java:393)
at org.kxml2.io.KXmlParser.next(KXmlParser.java:313)
at org.xmlrpc.android.ApiHelper.getRSDMetaTagHref(ApiHelper.java:1166)
at org.wordpress.android.ui.accounts.helpers.FetchBlogListWPOrg.getRsdUrl(FetchBlogListWPOrg.java:134)
at org.wordpress.android.ui.accounts.helpers.FetchBlogListWPOrg.getSelfHostedXmlrpcUrl(FetchBlogListWPOrg.java:254)
at org.wordpress.android.ui.accounts.helpers.FetchBlogListWPOrg.fetchBlogList(FetchBlogListWPOrg.java:112)
at org.wordpress.android.ui.accounts.helpers.FetchBlogListAbstract$1.run(FetchBlogListAbstract.java:27)

12 - Error while parsing the XML-RPC response document received from the server. - exception: unexpected type (position:END_DOCUMENT null@1:1 in java.io.InputStreamReader@3579a6b8)
13 - StackTrace: org.xmlpull.v1.XmlPullParserException: unexpected type (position:END_DOCUMENT null@1:1 in java.io.InputStreamReader@3579a6b8)
at org.kxml2.io.KXmlParser.nextTag(KXmlParser.java:2054)
at org.xmlrpc.android.XMLRPCClient.parseXMLRPCResponse(XMLRPCClient.java:288)
at org.xmlrpc.android.XMLRPCClient$Caller.callXMLRPC(XMLRPCClient.java:493)
at org.xmlrpc.android.XMLRPCClient$Caller.access$000(XMLRPCClient.java:408)
at org.xmlrpc.android.XMLRPCClient.call(XMLRPCClient.java:225)
at org.xmlrpc.android.XMLRPCClient.call(XMLRPCClient.java:220)
at org.wordpress.android.ui.accounts.helpers.FetchBlogListWPOrg.getXmlrpcByUserEnteredPath(FetchBlogListWPOrg.java:157)
at org.wordpress.android.ui.accounts.helpers.FetchBlogListWPOrg.getSelfHostedXmlrpcUrl(FetchBlogListWPOrg.java:270)
at org.wordpress.android.ui.accounts.helpers.FetchBlogListWPOrg.fetchBlogList(FetchBlogListWPOrg.java:112)
at org.wordpress.android.ui.accounts.helpers.FetchBlogListAbstract$1.run(FetchBlogListAbstract.java:27)

14 - Response document received from the server:






<title>_My_Blog_Title_ › Se connecter</title>

Since the latest update, we get an error to many re-directs and then time's out as soon as disabled this add on we can use Wordpress again

I have added a v_forcelogin_redirect filter to go to my site_url() home page. This works fine for the first login.
But after logging out, the site returns to the login page with the URL:
http://mysite/wp-login.php?loggedout=true
Then if i log in again from there, it doesn't redirect to my home page as expected, but shows the user's profile page: http://www.thomas-ranch.org/wp-admin/profile.php
The same thing occurs after the lost-password process.

How can I force it to always go to the home page?
Thanks!
John

We believe this started after upgrade to WP 4.9.5, if on site and logout it goes to login page, but if you are logged out and attempt to access the site, doesn't seem to force login.

Mike

The employee extranet has I'm using your plugin on has a custom post type and a page with a hyphen in the name 'this-type' rather than 'thistype' -- and that's the only page which I can see when I'm logged out. All other urls take me to the login page just fine. Any ideas on how I can make sure it is included?

In wp-force-login this plugin only allow Multisite users access to their assigned sites.

In my case, i need every registered user to view all sites.
I can comment those lines (and it works fine), but it would be a great if there were an option to toggle this behavior.

By the way, great plugin!

Plugin make redirect loop while accessing to xmlrpc.php which is a page needed to use Jetpack with Wordpress.

The auth0 plugin has a callback url that receives a code as a query string param as part of the oauth2 flow.

Since this plugin only check for the full url it does not work. Is there any posibility you add support for regexp or maybe just the domain + path without the querystring?

Issue

Currently the plugin allows access to all default WordPress login, lost-password, and register URLs using the wp_login_url() function.

This was done for simplicity, since all default WordPress login URLs live under the same URL structure of /wp-login.php and change based on the ?action= query string.

However, some users experience an issue when using a custom registration URL, because the bypass was based on the /wp-login.php URL structure and not with the wp_registration_url() function– which could be filtered to return a custom URL.

Possible Solutions

Add the wp_registration_url() function as the method to allow the registration URL which would cover the possible use of a custom registration URL; but would push the minimum required version of WordPress to version 3.6.0 - when the function was introduced.

Or

Tell users to manually bypass their custom registration URL via the v_forcelogin_bypass filter.

Kevin,

Thanks for the plugin. Working nicely for us. However, we've noted that anyone with a link to attachments in wp-content/uploads/ can download these files without logging in. Google spiders these folders and then includes the results in their search results so the chances of someone finding these files are quite high.

Hello - I like how simple you've made your plugin - but, hitting a snag with the lost password link as it's just reloading the same user login screen instead of the user being able to request a reset password link.

WordPress v5.8
Force Login v5.6.2

Thanks,
Jonathon

Hey nice plugin :) and thx for developing.

I got a redirect loop because it uses the $_SERVER stuff. Our wordpress is running in a virtual machine behind a nginx proxy so he took the wrong server address (local addr). I think it would be better and easier to use "get_site_url()" from wordpress it self.

But i am not really familiar with wordpress and php ^^
Servus

I have a somewhat complex site with a WooCommerce store. I am forcing login since it's a private store, but have made exceptions for pages like /register, /login, /password-reset, etc.

On all devices, desktop, and mobile, I've got everything working fine. On iPads and iPhones, whether using Safari or Chrome browsers, it often thinks every other page needs to login first, and constantly sends them to the login page with a redirect in the URL for going to the page they wanted.

So for example, I'm on the home page and click an "add to cart" button. The product goes into the cart and shows a flyout thing. Now I click on the "Cart" button to take me to the /cart page. Instead of going to the cart page, it directs me to the login page with a URL like: https://example.com/wp-login.php?redirect_to=https%3A%2F%2Fexample.com%2Fcart%2F

I will do this when I click on a main menu item, the logo (home page link), cart, my account, etc. Even though I'm already logged in.

It's hard to troubleshoot from an iPhone since I don't have developer tools and such, so I'm limited on what I can test, except to say, when I disable the force login plugin, it doesn't do that any more.

When a logged-in Multisite user tries to access a site they don't belong to, they see the following error message:

You're not authorized to access this site.

Feature Request

Maybe developers should have the ability to change this error message to be specific to their install and be more helpful to their user.

For example, you might want to add detail to the error message that tells users why they're unauthorized or how they may gain access to the site.

I've installed the plugin from the wordpress repo and since then the WP-Cron stopped working.
When I'm calling WP-Cron by using wp cron schedule list I only get the following:

PHP Notice:  Trying to get property of non-object in /var/www/.../htdocs/wp-content/themes/enfold/framework/php/function-set-avia-frontend.php on line 66
PHP Stack trace:
PHP   1. {main}() /usr/bin/wp:0
PHP   2. include() /usr/bin/wp:4
PHP   3. include() phar:///usr/bin/wp/php/boot-phar.php:5
PHP   4. WP_CLI\Runner->start() phar:///usr/bin/wp/php/wp-cli.php:21
PHP   5. WP_CLI\Runner->load_wordpress() phar:///usr/bin/wp/php/WP_CLI/Runner.php:697
PHP   6. require() phar:///usr/bin/wp/php/WP_CLI/Runner.php:736
PHP   7. include() phar:///usr/bin/wp/php/wp-settings-cli.php:389
PHP   8. require_once() /var/www/.../htdocs/wp-content/themes/enfold/functions.php:397
PHP   9. avia_get_option() /var/www/.../htdocs/wp-content/themes/enfold/includes/admin/register-widget-area.php:65
PHP Notice:  Undefined index: HTTP_HOST in /var/www/.../htdocs/wp-content/plugins/wp-force-login-master/wp-force-login.php on line 36
PHP Stack trace:
PHP   1. {main}() /usr/bin/wp:0
PHP   2. include() /usr/bin/wp:4
PHP   3. include() phar:///usr/bin/wp/php/boot-phar.php:5
PHP   4. WP_CLI\Runner->start() phar:///usr/bin/wp/php/wp-cli.php:21
PHP   5. WP_CLI\Runner->load_wordpress() phar:///usr/bin/wp/php/WP_CLI/Runner.php:697
PHP   6. require() phar:///usr/bin/wp/php/WP_CLI/Runner.php:736
PHP   7. do_action() phar:///usr/bin/wp/php/wp-settings-cli.php:405
PHP   8. call_user_func_array:{/var/www/.../htdocs/wp-includes/plugin.php:525}() /var/www/.../htdocs/wp-includes/plugin.php:525
PHP   9. v_forcelogin() /var/www/.../htdocs/wp-includes/plugin.php:525
PHP Notice:  Undefined index: HTTP_HOST in /var/www/.../htdocs/wp-content/plugins/wp-force-login-master/wp-force-login.php on line 38
PHP Stack trace:
PHP   1. {main}() /usr/bin/wp:0
PHP   2. include() /usr/bin/wp:4
PHP   3. include() phar:///usr/bin/wp/php/boot-phar.php:5
PHP   4. WP_CLI\Runner->start() phar:///usr/bin/wp/php/wp-cli.php:21
PHP   5. WP_CLI\Runner->load_wordpress() phar:///usr/bin/wp/php/WP_CLI/Runner.php:697
PHP   6. require() phar:///usr/bin/wp/php/WP_CLI/Runner.php:736
PHP   7. do_action() phar:///usr/bin/wp/php/wp-settings-cli.php:405
PHP   8. call_user_func_array:{/var/www/.../htdocs/wp-includes/plugin.php:525}() /var/www/.../htdocs/wp-includes/plugin.php:525
PHP   9. v_forcelogin() /var/www/.../htdocs/wp-includes/plugin.php:525
PHP Notice:  Undefined index: SERVER_PORT in /var/www/.../htdocs/wp-content/plugins/wp-force-login-master/wp-force-login.php on line 39
PHP Stack trace:
PHP   1. {main}() /usr/bin/wp:0
PHP   2. include() /usr/bin/wp:4
PHP   3. include() phar:///usr/bin/wp/php/boot-phar.php:5
PHP   4. WP_CLI\Runner->start() phar:///usr/bin/wp/php/wp-cli.php:21
PHP   5. WP_CLI\Runner->load_wordpress() phar:///usr/bin/wp/php/WP_CLI/Runner.php:697
PHP   6. require() phar:///usr/bin/wp/php/WP_CLI/Runner.php:736
PHP   7. do_action() phar:///usr/bin/wp/php/wp-settings-cli.php:405
PHP   8. call_user_func_array:{/var/www/.../htdocs/wp-includes/plugin.php:525}() /var/www/.../htdocs/wp-includes/plugin.php:525
PHP   9. v_forcelogin() /var/www/.../htdocs/wp-includes/plugin.php:525
PHP Notice:  Undefined index: SERVER_PORT in /var/www/.../htdocs/wp-content/plugins/wp-force-login-master/wp-force-login.php on line 39
PHP Stack trace:
PHP   1. {main}() /usr/bin/wp:0
PHP   2. include() /usr/bin/wp:4
PHP   3. include() phar:///usr/bin/wp/php/boot-phar.php:5
PHP   4. WP_CLI\Runner->start() phar:///usr/bin/wp/php/wp-cli.php:21
PHP   5. WP_CLI\Runner->load_wordpress() phar:///usr/bin/wp/php/WP_CLI/Runner.php:697
PHP   6. require() phar:///usr/bin/wp/php/WP_CLI/Runner.php:736
PHP   7. do_action() phar:///usr/bin/wp/php/wp-settings-cli.php:405
PHP   8. call_user_func_array:{/var/www/.../htdocs/wp-includes/plugin.php:525}() /var/www/.../htdocs/wp-includes/plugin.php:525
PHP   9. v_forcelogin() /var/www/.../htdocs/wp-includes/plugin.php:525
Warning: Some code is trying to do a URL redirect. Backtrace:
#0  WP_CLI\Utils\wp_redirect_handler(http://.../wp-login.php?redirect_to=http%3A%2F%2F%3A)
#1  call_user_func_array(WP_CLI\Utils\wp_redirect_handler, Array ([0] => http://.../wp-login.php?redirect_to=http%3A%2F%2F%3A)) called at [/var/www/.../htdocs/wp-includes/plugin.php:235]
#2  apply_filters(wp_redirect, http://.../wp-login.php?redirect_to=http%3A%2F%2F%3A, 302) called at [/var/www/.../htdocs/wp-includes/pluggable.php:1208]
#3  wp_redirect(http://.../wp-login.php?redirect_to=http%3A%2F%2F%3A, 302) called at [/var/www/.../htdocs/wp-includes/pluggable.php:1307]
#4  wp_safe_redirect(http://.../wp-login.php?redirect_to=http%3A%2F%2F%3A, 302) called at [/var/www/.../htdocs/wp-content/plugins/wp-force-login-master/wp-force-login.php:49]
#5  v_forcelogin()
#6  call_user_func_array(v_forcelogin, Array ([0] => )) called at [/var/www/.../htdocs/wp-includes/plugin.php:525]
#7  do_action(init) called at [phar:///usr/bin/wp/php/wp-settings-cli.php:405]
#8  require(phar:///usr/bin/wp/php/wp-settings-cli.php) called at [phar:///usr/bin/wp/php/WP_CLI/Runner.php:736]
#9  WP_CLI\Runner->load_wordpress() called at [phar:///usr/bin/wp/php/WP_CLI/Runner.php:697]
#10 WP_CLI\Runner->start() called at [phar:///usr/bin/wp/php/wp-cli.php:21]
#11 include(phar:///usr/bin/wp/php/wp-cli.php) called at [phar:///usr/bin/wp/php/boot-phar.php:5]
#12 include(phar:///usr/bin/wp/php/boot-phar.php) called at [/usr/bin/wp:4]

Hello! I'm using Force Login 5.5 with

WP5.5.3
Buddypress 6.4.0
Colorlib Login Customizer .2.97

The Login works fine but REGISTER is not working at all.

Cheers
Egon

When no port is specified in the URL it adds $_SERVER['SERVER_PORT'] which in many cases is not the port that is open to users if using port forwarding or nginx redirection etc.

The latest update changes to the handling of multisites causes a login failure on my multisite installation.

Depending on what type of server I try, I get either
You're not authorized to access this site. (on my local development laptop)
OR
a more generic "This page cannot be loaded"

I have restored the previous version from backup and all works fine agian.

What breaks in the new version:
// Only allow Multisite users access to their assigned sites
if ( is_multisite() && ! is_user_member_of_blog() && ! current_user_can( 'setup_network' ) ) {
$message = apply_filters( 'v_forcelogin_multisite_message', __( "You're not authorized to access this site.", 'wp-force-login' ), $url );

What worked in the previous version:
// Only allow Multisite users access to their assigned sites
if ( ! is_user_member_of_blog() && ! current_user_can( 'setup_network' ) ) {
wp_die( __( "You're not authorized to access this site.", 'wp-force-login' ), get_option( 'blogname' ) . ' › ' . __( 'Error', 'wp-force-login' ) );
}

Thank you
Daniel Servranckx

I have a site which is behind a proxy, and as most proxies pass the original host_name to the server, this plugin should also. I can't think of any reasons why not as far as design considerations, I just know I had to manually change it to use $_SERVER('HTTP_HOST') instead of $_SERVER('SERVER_NAME'), for it to work right.

Notice: get_currentuserinfo is deprecated since version 4.5! Use wp_get_current_user() instead. in /***/htdocs/wp-includes/functions.php on line 3658

This error started showing today and it's the only plugin I've located in my plugin folder with get_currentuserinfo. If I disable wp-force-login, the error goes away.

Hello.

The redirect to the inicial page after the login is not working after the user logout.

I notice that the parameter redirect_to is lost after the logout. It makes the user been redirected to the WordPress painel.

Hi

I run a wordpress multisite, where wp-force-login is network enabled across all sites in my development environment.

Registrations are disabled, however I may add users manually to a site through wp-admin if I set their password and don't require them to authorize their email address.

But when I add a user and wordpress sends them a registration authentication link, whitelist validation fails in the plugin and they get forced to the login page.

The registration link is unique to every user (param string), and every site (subdomain), so the whitelist filter dosn't seem to useful since it does full url comparison. Perhaps allow whitelist by url regex?

Hi, I'm using Force Login (great plugin!) but I can't do work it with custom post types. It works fine with pages, but if a not logged user tries to access a custom post type, it can access the content (and the idea is forbid it access)

I'm lossing something?

Thanks! Federico

Hello, I noticed the plugin states that it works with multisites. Does the plugin just cover all subsites? Is there a feature that allows you to hook up to only 1 subsite of a multisite? I tried installing and I don't think this feature exists. Just wanted to double check and see if there were any future plans for building out this feature. Thank you!

FYI, I just upgraded a site from version 5.5.0 to 5.6.2 and it causes non-logged-in users to experience a multiple redirect loop error. Downgrading back to 5.5.0 fixed the issue for me. If I have some time later on, I’ll take a look at the last few commits between 5.5.0 and 5.6.2 and see if I can figure out what is causing the issue on my site.

With the plugin installed - once forced to login; users that need to register for access get looped back to the login screen. Any ideas why?

Some up to date Firefox on Linux, Windows (unknown version), and Mac (unknown version) "can't login". Thankfully I was able to recreate from on a Virtual Box running Mint 14 and up to date Firefox. Upon entering username and password and clicking "Log in", there would be a brief pause with both the username and password being cleared but still on the login screen. No error message would be generated. In looking at the logs, the login would be recorded as successful. If one then had the URL to directly access a particular page, one could access the page. Without logging in, the page is inaccessible.
The behavior is consistent among those stricken with the bug for the particular site. If one could login with FireFox from the particular system, one could always login. Those who could never login were never able to login.
I dropped back to one of the standard WP themes (don't recall the specific theme but it was a 20xx), disabled all plugins, and cleared caches on both the server and in FireFox and still would be shown the same login screen despite having successfully logged in as shown by the logs.
Observed five times over 200 users. Same users had no problem logging in using Chrome, Safari, or IE from the same system.
Behavior seen on a production system running at WPEngine.com. When I 'cloned" a copy of the production system on to a staging system, the same FireFox browsers that could not login on the production system could log in to the staging site. When I cloned the staging site but to the production site, the same browser that could log in to the staging site could not log in to the new production site.
"Force Login" plugin is currently deactivated and "Require Login" plugin is installed and working without any apparent issues.

When active, the plugin keeps Wordfence from scanning. Wordfence worked immediately after disabling force login.

I am not sure if this is a new problem...

I moved my site from one URL to another. That is the only thing that changed...Till then the force login was functioning as expected.
Now
When I login to my URL, the new one, it still brings up the login screen, however upon name/pswd entry it did not proceed to the main page as defined, but went to the wp-admin page.

I have removed the plug in for now. I don't know if somehow it got confused by the move?

Thought I'd report it just in case. If desired I'll recreate the problem and show screen shots or whatever else would be useful.

When I enable this plug-in, I am unable to publish from Android app. Give XMLRPC error. Contacted WP support and suggested to disable the plug-in and it worked.

Hi Bud,

Firstly, thank you very much for this plugin, it full on saved my ass and I thought you might be interested in a use case and a solve. I found another user on wordpress.org who had a similar issue and thought the finding would be useful on the 'Whitelist Dynamic URLs' wiki.

So I have a woocommerce site I'm making for a client which has the following functionality.

1. Site must be totally blocked to unregistered users
2. Users provided with a direct link must be redirected to a specific link once logged in.
3. Users must visit the landing page (custom PHP template)
4. Contact form must not be affected by redirect.
5. Contact Form 7 must not be affected by redirect.
6. Facebook Ads must be redirected to Landing Page.

/**
 * Set the URL to redirect to on login.
 *
 * @return string URL to redirect to on login. Must be absolute.
 */
function my_forcelogin_redirect() {
    return home_url( '/welcome-to-unowned/' );
}
add_filter( 'v_forcelogin_redirect', 'my_forcelogin_redirect' );

add_filter( 'woocommerce_login_redirect', 'wc_login_redirect' );

function wc_login_redirect( $redirect_to ) {
	$redirect_to = 'https://unowned.co.uk/welcome-to-unowned/';
	return $redirect_to;
}

/**
 * Filter Force Login to allow exceptions for specific URLs.
 *
 * @param array $whitelist An array of URLs. Must be absolute.
 * @return array
 */
function my_forcelogin_whitelist( $whitelist ) {
	$whitelist[] = home_url( '//' );
	$whitelist[] = home_url( '/landing/#wpcf7-f894-p15-o1/' );
	$whitelist[] = home_url( '/landing/' );
	$whitelist[] = home_url( '/wp-content/themes/dist/welcome.php/' );
	$whitelist[] = home_url( '/wp-content/themes/dist/soon.php/' );
	$whitelist[] = home_url( '/wp-content/plugins/contact-form-7/' );
	return $whitelist;
}
add_filter( 'v_forcelogin_whitelist', 'my_forcelogin_whitelist' );

 /**
 * Bypass Force Login to allow for exceptions.
 *
 * @param bool $bypass Whether to disable Force Login. Default false.
 * @return bool
 */
function my_forcelogin_bypass( $bypass ) {
    // Allow URL if query string 'parameter' exists
    if ( isset( $_GET['fbclid'] ) ) {
        $bypass = true;
    }

    return $bypass;
}
add_filter( 'v_forcelogin_bypass', 'my_forcelogin_bypass' );

function wc_custom_user_redirect( $redirect, $user ) {
	// Get the first of all the roles assigned to the user
	$role = $user->roles[0];
	$dashboard = admin_url();
	$myaccount = get_permalink( wc_get_page_id( 'welcome-to-unowned' ) );
	if( $role == 'administrator' ) {
		//Redirect administrators to the dashboard
		$redirect = $dashboard;
	} elseif ( $role == 'shop-manager' ) {
		//Redirect shop managers to the dashboard
		$redirect = $dashboard;
	} elseif ( $role == 'editor' ) {
		//Redirect editors to the dashboard
		$redirect = $dashboard;
	} elseif ( $role == 'author' ) {
		//Redirect authors to the dashboard
		$redirect = $dashboard;
	} elseif ( $role == 'customer' || $role == 'subscriber' ) {
		//Redirect customers and subscribers to the "My Account" page
		$redirect = $myaccount;
	} else {
		//Redirect any other role to the previous visited page or, if not available, to the home
		$redirect = wp_get_referer() ? wp_get_referer() : home_url();
	}
	return $redirect;
}
add_filter( 'woocommerce_login_redirect', 'wc_custom_user_redirect', 10, 2 );

The main fixes I wanted to call attention to which may not be apparent to general users is that your plugin can work perfectly well by whitelisting the Action url parameters for forms, for CF7 just the #... part is necessary.

$whitelist[] = home_url( '/landing/#wpcf7-f894-p15-o1/' );

What was quite a problem is that the Facebook ad campaign was redirecting to login no matter what we tried. I finally got a hold of the URL the marketer was using and it turns out the ads generate an insanely long, parameter filled URL . Using your instructions from the Whitelist URL wiki and using fbclid for the parameter got the ads working again.

I'm aware that this may be blindingly obvious to you but I thought it might be a nice tip to add to the wiki for these edge cases.

Anyway, thanks again for a very useful plugin.

Kind Regards,
James

Recent updates to force login has extended the reach of the plugin to the wp api. However, I already have a plugin that secures my wp api and I use JWT authentication to access the api. Your new v_forcelogin_rest_access does not include the same whitelist mechanism as force login as such any alternative api authentication is completely disable. My simple plugin that I use to secure my api and use jwt authentication can be found here as an example. https://github.com/valeryan/wp-secure-api/blob/master/wp-secure-api.php. You could achieve something similar by applying the same whitelist logic to your api function.

I have a test site. I want to test some REST apis that i made but during that i want the site to be locked. I tried this plugin and it works for force login and also allows to bypass urls but i could't find any method to bypass my API call.

Here is a sample url i want to bypass.

http://my-site.test/wp-json/sk-plugin/make/post

please help.
thanks for this plugin.

If the server is not on 80 or 433, there is some sort of loop happening with the redirect URL, which causes a bad gateway.

Suggested fix:

Add a filter on line 31:

$url .= in_array( $_SERVER['SERVER_PORT'], array('80', '443') ) ? '' : ':' . $_SERVER['SERVER_PORT'];

to:

$url .= in_array( $_SERVER['SERVER_PORT'], apply_filters('v_forcelogin_serverports', array('80', '443')) ) ? '' : ':' . $_SERVER['SERVER_PORT'];

After adding a filter within my functions.php, the plugin behaves as expected.

There's a plugin which enables 3rd-party login with Wordpress: https://github.com/perrybutler/WP-OAuth

Unfortunately, when using it together with Force-Login, the user falls into an infinite loop. WP-OAuth works by making a button which creates the following link:

https://www.example.com/?connect=provider-id&redirect_to=https%3A%2F%2Fwww.example.com%2F

This link is then parsed by the plugin and a redirect is issued to the correct provider based on provider settings. Unfortunately, this link is caught and parsed by Force-Login before WP-OAuth has time to look at it. And the result is that the user is redirected straight back to the login page before redirect.

User ends up on a "double redirect" login page, e.g.:

https://www.example.com/wp-login.php?redirect_to=https%3A%2F%2Fwww.example.com%2F%3Fconnect%3Dprovider-id%26redirect_to%3Dhttps%253A%252F%252Fwww.example.com%252F

Maybe cooperate with @perrybutler on this?

(also posted on the plugin forum on Wordpress, not sure which you prefer)

Installed and activated the plugin on a WooCommerce Multisite ‘subsite’ (where I'm using the https://woomultistore.com/ plugin) .

Instead of the expected login screen for the home page, I’m getting a blank screen. The Network tab in Inspector shows Status code 403.

Hi there,

I'm using the plugin on my site, and have whitelisted the pages I want using the code below:

function my_forcelogin_whitelist( $whitelist ) {
  if( $_GET['auth0'] == 1 ) {
        $whitelist[] = site_url($_SERVER['REQUEST_URI']);
  }
$whitelist[] = site_url( '/' );
$whitelist[] = site_url( '/whitelistedpage' );
$whitelist[] = site_url( '/whitelistedpage/' );
  return $whitelist;
}

This works beautifully. When navigating to a page on the site that is not whitelisted, the user is forced to login and then redirected to the same page.

However, when I navigate to a page that is not whitelisted with the 'www' at the front of my URL, the user is redirected to the homepage. (My WordPress site URL is a non www, and I would like to keep it like that). Additionally, if the user is already logged in, and I navigate to a page that is not whitelisted, they are taken to the login page (without the login form, since they are already logged in) so they are essentially stuck on the empty login page and therefore they cannot access the page they are trying to, despite being logged in.

Is there a way to have the 'www' links redirect to my non www site before the user is forced to login?

Any help would be greatly appreciated.

Thanks!

I work with Force Login for the intern part of a beekeepers site. It works fine, but members are not able to setuo a new password, if they have forgotten their old.

Can anybody help us ? Sorry, but we are only users not coder.

Thanks, regards
Torsten