Guys,
I’m also interested in this request. You allow me to use admin-ajax.php but not admin-post.php. If somebody want to fix this then you need to modify /core/modules/hide-backend/class-itsec-hide-backend.php file and line 161:
strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false
to
strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false && strpos( $_SERVER['REQUEST_URI'], 'admin-post.php' )
I don’t know the objectives why this file was blocked so do this on your own risk. I created a separated request here:
https://wordpress.org/support/topic/hide-backend-feature-doesnt-allow-me-to-use-admin-postphp?replies=1#post-8751645
@0xff
Correction:
… modify /core/modules/hide-backend/class-itsec-hide-backend.php file and lines 161/162:
strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false
&& $this->auth_cookie_expired === false
to:
strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false
&& strpos( $_SERVER['REQUEST_URI'], 'admin-post.php' ) === false
&& $this->auth_cookie_expired === false
dwinden
@dwinden
Thanks for your corrections, they would be useful for upcoming users. But I would like to know why this file was blocked? Any security issues that I can expect? If no, then when this patch would be included into plugin?
0xff
@0xff
By default WordPress does not make use of the admin-post.php file.
Delete it and a vanilla WordPress env will continue to function without a bleep.
However the admin-ajax.php file is used by WordPress core in eg the WordPress Heartbeat API.
Deleting this file will break a vanilla WordPress env.
So that’s probably why the iTSec plugin Hide Backend feature includes an exception for the admin-ajax.php file but not for the admin-post.php file.
Adding an exception for the admin-post.php file to the Hide Backend code is probably no security risk (provided the admin-post.php file is used properly in a form).
Note I’m not an iThemes employee.
dwinden
