Hi, forgot to mention also that I’m using the plugin “Search everything” in parallel with your plugin, just in case this might be causing a conflict
My plugin uses WordPress’s standard, supported AJAX API, which requires me to send requests to wp-admin/admin-ajax.php. You need to either remove your .htaccess restriction on wp-admin or make an exception for admin-ajax.php, or else this and other AJAX plugins will break.
Hi Dave,
I made a mistake, the wp-admin restriction is declared in the theme’s functions.php file and not in the htaccess file, meanwhile, I tried adding the following in the htaccess file to no avail:
#allow admin-ajax access
<files wp-admin/admin-ajax.php>
Order allow,deny
allow from all
Satisfy any
</files>
My functions.php file has:
// block WP admin access
function prevent_admin_access() {
if (strpos(strtolower($_SERVER[‘REQUEST_URI’]), ‘/wp-admin’) !== false && !current_user_can(‘administrator’)) {
wp_redirect(get_option(‘siteurl’));
}
}
add_action(‘init’, ‘prevent_admin_access’, 0);
I went on to the link you provided in one of your replis (http://www.nkuttler.de/post/htaccess-protect-wordpress-admin) and I couldn’t figure out how else to enable the access to the ajax-admin file.
I would really appreciate any feedback or help on this one to justify the activation of your plugin.
Sounds like you need to get in touch with the person/people who made your theme. Nothing you put in .htaccess can override that kind of restriction, because functions.php is run well after .htaccess.
This kind of setup will cause problems for any plugin which does AJAX calls “by the book”. I’m sure they’ll want to get that addressed in the next version of the theme. Feel free to have them get in touch with me if they need details (dave@davidmichaelross.com).
This might help make the case to the plugin author(s) about fixing their restrictions: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin
Adding server-side password protection to /wp-admin/ adds a 2nd layer of protection around your blog’s admin area, login, and files. This forces an attacker or bot to attack this 2nd layer of protection instead of your actual admin files. Most of the time WordPress attacks are carried out autonomously by a malicious software bot. But simply securing the wp-admin/ directory might also break some WordPress functionality, because the Ajax handler wp-admin/ajax-admin.php and other files can’t be accessed without the password. See the #Resources section for more documentation on how to password protect your wp-admin/ directory properly.
Dave, thank you very much for your feedback and research on this matter, I’ll definitely address it to the developer, he’s usually very prompt on updating the theme, at first I was sure it was a syntax error in my htaccess in regards to pointing to the ajax file, I was hoping to find the extra code to place in the functions.php file to allow the access to the sub-folder of wp-admin, but I guess not.
I’m a newb, hope you figured that much, but I like to digg in and learn this stuff, very interesting.
On a side note, GREAT plugin by all means!
Dave, I got it to work finally by installing a plugin (wp admin block) which allowed access to your plugin’s required file calling hence me removing the manual code that I had added in the functions file that restricted the wp-admin access, A1! 🙂
