Title: Headless Login Guard
Author: Andrew Wilkinson
Published: <strong>18 de maig de 2026</strong>
Last modified: 18 de maig de 2026

---

Cerca extensions

![](https://ps.w.org/headless-login-guard/assets/banner-772x250.png?rev=3536308)

![](https://ps.w.org/headless-login-guard/assets/icon-256x256.png?rev=3536307)

# Headless Login Guard

 Per [Andrew Wilkinson](https://profiles.wordpress.org/andrew40/)

[Baixa](https://downloads.wordpress.org/plugin/headless-login-guard.1.0.1.zip)

 * [Detalls](https://ca.wordpress.org/plugins/headless-login-guard/#description)
 * [Ressenyes](https://ca.wordpress.org/plugins/headless-login-guard/#reviews)
 *  [Instal·lació](https://ca.wordpress.org/plugins/headless-login-guard/#installation)
 * [Desenvolupament](https://ca.wordpress.org/plugins/headless-login-guard/#developers)

 [Suport](https://wordpress.org/support/plugin/headless-login-guard/)

## Descripció

A lightweight plugin that **forces login for backend access** in a headless WordPress
setup. Keeps your WordPress dashboard private while allowing your front end (e.g.
Astro, Next.js) to pull content via GraphQL/REST.

#### What it does

 * Requires authentication for `/wp-admin/` and other backend pages
 * Always allows the login page to avoid redirect loops
 * Leaves key endpoints open for headless use:
    - `/wp-json/` (REST API)
    - `/graphql` (WPGraphQL)
    - `/wp-admin/admin-ajax.php` (AJAX)
    - `/wp-cron.php` (cron)
    - `/robots.txt`
    - `/sitemap*.xml` (sitemaps and indexes)
    - `/wp-content/uploads/*` (media)
    - `/favicon.ico`
    - `/newrelic` (New Relic monitoring)
 * Logged-in users visiting the backend root get redirected to the dashboard
 * Works with Bedrock layouts (handles root path vs `/wp/`)

#### Use case

 * WordPress is the content backend
 * Public site is built with Astro/Next.js/etc
 * Editors log in to WordPress. Visitors never see the backend
 * Front end builds and live pages can still query GraphQL/REST without authentication

#### Customization

Developers can customize allowed endpoints using the `force_login_allowed_patterns`
filter:

    ```
    add_filter('force_login_allowed_patterns', function($patterns) {
        $patterns[] = '#^/healthz$#';           // custom health check
        $patterns[] = '#^/status$#';            // uptime checks
        $patterns[] = '#^/wp-json/acf/v3/.*#';  // specific REST namespace
        return $patterns;
    });
    ```

## Instal·lació

 1. Upload the plugin files to the `/wp-content/plugins/force-login` directory, or 
    install the plugin through the WordPress plugins screen directly.
 2. Activate the plugin through the ‘Plugins’ screen in WordPress.
 3. The plugin will automatically start protecting your backend – no configuration 
    needed!

## PMF

### I’m locked out! How do I access my site?

Visit `/wp-login.php` directly to sign in. The plugin always allows access to the
login page.

### My front-end requests are failing. What should I do?

Verify the endpoint is on the allow list. Check the plugin description for the default
allowed patterns, or use the `force_login_allowed_patterns` filter to add custom
endpoints.

### Does this work with Bedrock?

Yes! The plugin correctly handles both standard WordPress installs and Bedrock layouts
where the site URL and home URL may differ.

### Can I add custom endpoints?

Yes, use the `force_login_allowed_patterns` filter to add your own regex patterns
for additional endpoints that should remain public.

## Ressenyes

No hi ha ressenyes per a aquesta extensió.

## Col·laboradors i desenvolupadors

«Headless Login Guard» és programari de codi obert. La següent gent ha col·laborat
en aquesta extensió.

Col·laboradors

 *   [ Andrew Wilkinson ](https://profiles.wordpress.org/andrew40/)

[Traduïu «Headless Login Guard» a la vostra llengua.](https://translate.wordpress.org/projects/wp-plugins/headless-login-guard)

### Interessats en el desenvolupament?

[Navegueu pel codi](https://plugins.trac.wordpress.org/browser/headless-login-guard/),
baixeu-vos el [repositori SVN](https://plugins.svn.wordpress.org/headless-login-guard/),
o subscriviu-vos al [registre de desenvolupament](https://plugins.trac.wordpress.org/log/headless-login-guard/)
per [fisl de subscripció RSS](https://plugins.trac.wordpress.org/log/headless-login-guard/?limit=100&mode=stop_on_copy&format=rss).

## Registre de canvis

#### 1.0.1

 * Added: New Relic monitoring endpoint allowlist pattern (`/newrelic`) to support
   APM monitoring
 * Added: WordPress.org plugin directory compatibility
 * Added: Proper plugin structure with activation/deactivation hooks
 * Added: Filter hook for customizing allowed patterns
 * Improved: Code organization and documentation

#### 1.0.0

 * Initial release
 * Restricts backend (`/wp-admin/`) to authenticated users
 * Allows GraphQL and REST API endpoints for headless front-ends
 * Basic whitelist of essential endpoints (cron, ajax, robots.txt, sitemaps, uploads)

## Meta

 *  Versió **1.0.1**
 *  Darrera actualització **fa 4 setmanes**
 *  Instal·lacions actives **Menys de 10**
 *  Versió del WordPress ** 6.0 o posterior **
 *  Provada fins a **6.9.4**
 *  Versió del PHP ** 8.1 o posterior **
 *  Idioma
 * [English (US)](https://wordpress.org/plugins/headless-login-guard/)
 * Etiquetes
 * [GraphQL](https://ca.wordpress.org/plugins/tags/graphql/)[headless](https://ca.wordpress.org/plugins/tags/headless/)
   [login](https://ca.wordpress.org/plugins/tags/login/)[rest-api](https://ca.wordpress.org/plugins/tags/rest-api/)
   [security](https://ca.wordpress.org/plugins/tags/security/)
 *  [Vista avançada](https://ca.wordpress.org/plugins/headless-login-guard/advanced/)

## Valoracions

Encara no s'ha enviat cap ressenya.

[Your review](https://wordpress.org/support/plugin/headless-login-guard/reviews/#new-post)

[Visualitzeu totes les ressenyes](https://wordpress.org/support/plugin/headless-login-guard/reviews/)

## Col·laboradors

 *   [ Andrew Wilkinson ](https://profiles.wordpress.org/andrew40/)

## Suport

Teniu quelcom a dir? Necessiteu ajuda?

 [Visualitza els fòrums de suport](https://wordpress.org/support/plugin/headless-login-guard/)