Title: Headless Login Guard Author: Andrew Wilkinson Published: May 18, 2026 Last modified: May 18, 2026 --- Search plugins ![](https://ps.w.org/headless-login-guard/assets/banner-772x250.png?rev=3536308) ![](https://ps.w.org/headless-login-guard/assets/icon-256x256.png?rev=3536307) # Headless Login Guard By [Andrew Wilkinson](https://profiles.wordpress.org/andrew40/) [Download](https://downloads.wordpress.org/plugin/headless-login-guard.1.0.1.zip) * [Details](https://test.wordpress.org/plugins/headless-login-guard/#description) * [Reviews](https://test.wordpress.org/plugins/headless-login-guard/#reviews) * [Installation](https://test.wordpress.org/plugins/headless-login-guard/#installation) * [Development](https://test.wordpress.org/plugins/headless-login-guard/#developers) [Support](https://wordpress.org/support/plugin/headless-login-guard/) ## Description A lightweight plugin that **forces login for backend access** in a headless WordPress setup. Keeps your WordPress dashboard private while allowing your front end (e.g. Astro, Next.js) to pull content via GraphQL/REST. #### What it does * Requires authentication for `/wp-admin/` and other backend pages * Always allows the login page to avoid redirect loops * Leaves key endpoints open for headless use: - `/wp-json/` (REST API) - `/graphql` (WPGraphQL) - `/wp-admin/admin-ajax.php` (AJAX) - `/wp-cron.php` (cron) - `/robots.txt` - `/sitemap*.xml` (sitemaps and indexes) - `/wp-content/uploads/*` (media) - `/favicon.ico` - `/newrelic` (New Relic monitoring) * Logged-in users visiting the backend root get redirected to the dashboard * Works with Bedrock layouts (handles root path vs `/wp/`) #### Use case * WordPress is the content backend * Public site is built with Astro/Next.js/etc * Editors log in to WordPress. Visitors never see the backend * Front end builds and live pages can still query GraphQL/REST without authentication #### Customization Developers can customize allowed endpoints using the `force_login_allowed_patterns` filter: ``` add_filter('force_login_allowed_patterns', function($patterns) { $patterns[] = '#^/healthz$#'; // custom health check $patterns[] = '#^/status$#'; // uptime checks $patterns[] = '#^/wp-json/acf/v3/.*#'; // specific REST namespace return $patterns; }); ``` ## Installation 1. Upload the plugin files to the `/wp-content/plugins/force-login` directory, or install the plugin through the WordPress plugins screen directly. 2. Activate the plugin through the ‘Plugins’ screen in WordPress. 3. The plugin will automatically start protecting your backend – no configuration needed! ## FAQ ### I’m locked out! How do I access my site? Visit `/wp-login.php` directly to sign in. The plugin always allows access to the login page. ### My front-end requests are failing. What should I do? Verify the endpoint is on the allow list. Check the plugin description for the default allowed patterns, or use the `force_login_allowed_patterns` filter to add custom endpoints. ### Does this work with Bedrock? Yes! The plugin correctly handles both standard WordPress installs and Bedrock layouts where the site URL and home URL may differ. ### Can I add custom endpoints? Yes, use the `force_login_allowed_patterns` filter to add your own regex patterns for additional endpoints that should remain public. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Headless Login Guard” is open source software. The following people have contributed to this plugin. Contributors * [ Andrew Wilkinson ](https://profiles.wordpress.org/andrew40/) [Translate “Headless Login Guard” into your language.](https://translate.wordpress.org/projects/wp-plugins/headless-login-guard) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/headless-login-guard/), check out the [SVN repository](https://plugins.svn.wordpress.org/headless-login-guard/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/headless-login-guard/) by [RSS](https://plugins.trac.wordpress.org/log/headless-login-guard/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.0.1 * Added: New Relic monitoring endpoint allowlist pattern (`/newrelic`) to support APM monitoring * Added: WordPress.org plugin directory compatibility * Added: Proper plugin structure with activation/deactivation hooks * Added: Filter hook for customizing allowed patterns * Improved: Code organization and documentation #### 1.0.0 * Initial release * Restricts backend (`/wp-admin/`) to authenticated users * Allows GraphQL and REST API endpoints for headless front-ends * Basic whitelist of essential endpoints (cron, ajax, robots.txt, sitemaps, uploads) ## Meta * Version **1.0.1** * Last updated **8 hours ago** * Active installations **Fewer than 10** * WordPress version ** 6.0 or higher ** * Tested up to **6.9.4** * PHP version ** 8.1 or higher ** * Language * [English (US)](https://wordpress.org/plugins/headless-login-guard/) * Tags * [GraphQL](https://test.wordpress.org/plugins/tags/graphql/)[headless](https://test.wordpress.org/plugins/tags/headless/) [login](https://test.wordpress.org/plugins/tags/login/)[rest-api](https://test.wordpress.org/plugins/tags/rest-api/) [security](https://test.wordpress.org/plugins/tags/security/) * [Advanced View](https://test.wordpress.org/plugins/headless-login-guard/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/headless-login-guard/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/headless-login-guard/reviews/) ## Contributors * [ Andrew Wilkinson ](https://profiles.wordpress.org/andrew40/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/headless-login-guard/)