Title: Exception for wp-admin/admin-post.php
Last modified: September 1, 2016

---

# Exception for wp-admin/admin-post.php

 *  [maku8](https://wordpress.org/support/users/maku8/)
 * (@maku8)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/exception-for-wp-adminadmin-postphp/)
 * Good morning,
 * I want to use the admin-post hook but the server return a 404 error and it’s 
   because of iThemes security. I know because I can do post and get requests when
   the plugin is desactivate.
 * Somebody know how to write an exception for this file.
 * I tried this in the htaccess file but it doesn’t work
 * # BEGIN iThemes Security – Do not modify or remove this line
    # iThemes Security
   Config Details: 2 # Enable the hide backend feature – Security > Settings > Hide
   Login Area > Hide Backend RewriteRule ^(/)?connexion/?$ /wp-login.php [QSA,L]**
   RewriteRule ^(/)?adminpost/? /wp-admin/admin-post.php [QSA,L]** # END iThemes
   Security – Do not modify or remove this line
 * This is the kind of request I want to do:
    [http://test.com/wp-admin/admin-post.php/?action=activate_account&login=solajopert&activation-account-nonce=fd140ebdff](http://test.com/wp-admin/admin-post.php/?action=activate_account&login=solajopert&activation-account-nonce=fd140ebdff)
 * [https://wordpress.org/plugins/better-wp-security/](https://wordpress.org/plugins/better-wp-security/)

Viewing 4 replies - 1 through 4 (of 4 total)

 *  [0xff](https://wordpress.org/support/users/0xff-1/)
 * (@0xff-1)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/exception-for-wp-adminadmin-postphp/#post-7634358)
 * Guys,
 * I’m also interested in this request. You allow me to use **admin-ajax.php** but
   not **admin-post.php**. If somebody want to fix this then you need to modify **/
   core/modules/hide-backend/class-itsec-hide-backend.php** file and line 161:
 * `strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false`
    to `strpos( 
   $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false && strpos( $_SERVER['REQUEST_URI'],'
   admin-post.php' )`
 * I don’t know the objectives why this file was blocked so do this on your own 
   risk. I created a separated request here:
    [https://wordpress.org/support/topic/hide-backend-feature-doesnt-allow-me-to-use-admin-postphp?replies=1#post-8751645](https://wordpress.org/support/topic/hide-backend-feature-doesnt-allow-me-to-use-admin-postphp?replies=1#post-8751645)
 *  [dwinden](https://wordpress.org/support/users/dwinden/)
 * (@dwinden)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/exception-for-wp-adminadmin-postphp/#post-7634360)
 * @0xff
 * Correction:
 * … modify **/core/modules/hide-backend/class-itsec-hide-backend.php** file and
   lines 161/162:
 *     ```
       strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false
       && $this->auth_cookie_expired === false
       ```
   
 * to:
 *     ```
       strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false
       && strpos( $_SERVER['REQUEST_URI'], 'admin-post.php' ) === false
       && $this->auth_cookie_expired === false
       ```
   
 * dwinden
 *  [0xff](https://wordpress.org/support/users/0xff-1/)
 * (@0xff-1)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/exception-for-wp-adminadmin-postphp/#post-7634361)
 * [@dwinden](https://wordpress.org/support/users/dwinden/)
 * Thanks for your corrections, they would be useful for upcoming users. But I would
   like to know why this file was blocked? Any security issues that I can expect?
   If no, then when this patch would be included into plugin?
 * 0xff
 *  [dwinden](https://wordpress.org/support/users/dwinden/)
 * (@dwinden)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/exception-for-wp-adminadmin-postphp/#post-7634362)
 * @0xff
 * By default WordPress does not make use of the **admin-post.php** file.
    Delete
   it and a vanilla WordPress env will continue to function without a bleep.
 * However the **admin-ajax.php** file is used by WordPress core in eg the WordPress
   Heartbeat API.
    Deleting this file will break a vanilla WordPress env.
 * So that’s probably why the iTSec plugin Hide Backend feature includes an exception
   for the admin-ajax.php file but not for the admin-post.php file.
 * Adding an exception for the admin-post.php file to the Hide Backend code is probably
   no security risk (provided the admin-post.php file is used properly in a form).
 * Note I’m not an iThemes employee.
 * dwinden

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Exception for wp-admin/admin-post.php’ is closed to new replies.

 * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=3529351)
 * [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/)
 * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/)

 * 4 replies
 * 3 participants
 * Last reply from: [dwinden](https://wordpress.org/support/users/dwinden/)
 * Last activity: [9 years, 9 months ago](https://wordpress.org/support/topic/exception-for-wp-adminadmin-postphp/#post-7634362)
 * Status: not resolved