Headless Login Guard
·
Forces login for backend access in headless WordPress setups while allowing GraphQL/REST API endpoints and essential paths.
A lightweight plugin that forces login for backend access in a headless WordPress setup. Keeps your WordPress dashboard private while allowing your front end (e.g. Astro, Next.js) to pull content via GraphQL/REST.
What it does
- Requires authentication for
/wp-admin/and other backend pages - Always allows the login page to avoid redirect loops
- Leaves key endpoints open for headless use:
/wp-json/(REST API)/graphql(WPGraphQL)/wp-admin/admin-ajax.php(AJAX)/wp-cron.php(cron)/robots.txt/sitemap*.xml(sitemaps and indexes)/wp-content/uploads/*(media)/favicon.ico/newrelic(New Relic monitoring)
- Logged-in users visiting the backend root get redirected to the dashboard
- Works with Bedrock layouts (handles root path vs
/wp/)
Use case
- WordPress is the content backend
- Public site is built with Astro/Next.js/etc
- Editors log in to WordPress. Visitors never see the backend
- Front end builds and live pages can still query GraphQL/REST without authentication
Customization
Developers can customize allowed endpoints using the force_login_allowed_patterns filter:
add_filter('force_login_allowed_patterns', function($patterns) {
$patterns[] = '#^/healthz$#'; // custom health check
$patterns[] = '#^/status$#'; // uptime checks
$patterns[] = '#^/wp-json/acf/v3/.*#'; // specific REST namespace
return $patterns;
});