Headless Login Guard

A lightweight plugin that forces login for backend access in a headless WordPress setup. Keeps your WordPress dashboard private while allowing your front end (e.g. Astro, Next.js) to pull content via GraphQL/REST.

What it does

• Requires authentication for /wp-admin/ and other backend pages
• Always allows the login page to avoid redirect loops
• Leaves key endpoints open for headless use:
  • /wp-json/ (REST API)
  • /graphql (WPGraphQL)
  • /wp-admin/admin-ajax.php (AJAX)
  • /wp-cron.php (cron)
  • /robots.txt
  • /sitemap*.xml (sitemaps and indexes)
  • /wp-content/uploads/* (media)
  • /favicon.ico
  • /newrelic (New Relic monitoring)
• Logged-in users visiting the backend root get redirected to the dashboard
• Works with Bedrock layouts (handles root path vs /wp/)

Use case

• WordPress is the content backend
• Public site is built with Astro/Next.js/etc
• Editors log in to WordPress. Visitors never see the backend
• Front end builds and live pages can still query GraphQL/REST without authentication

Customization

Developers can customize allowed endpoints using the force_login_allowed_patterns filter:

add_filter('force_login_allowed_patterns', function($patterns) {
    $patterns[] = '#^/healthz$#';           // custom health check
    $patterns[] = '#^/status$#';            // uptime checks
    $patterns[] = '#^/wp-json/acf/v3/.*#';  // specific REST namespace
    return $patterns;
});