要求登录才能访问我的Wordpress网站

Question

I have a Wordpress site and I want to be locked to the public, as in redirects to login, unless you're registering. So right now the code I'm using is:

<?php
if ( is_user_logged_in() ) {

} else {
 $coolio=curPageURL();
 if (strpos($coolio,'register.php') !== false) {
 break;
 }
 else{
  echo "<script>window.location = 'http://example.com/wp-login.php'</script>";
  break;
 }
 if (strpos($coolio,'login.php') !== false) {
 break;
 }
 else{
  echo "<script>window.location = 'http://example.com/wp-login.php'</script>";
  break;
 }
}
?>

Seems like it should work, but it creates an infinite loop on any page I go to. Does anybody know why?

Note: curPageUrl just returns current page url.

Answer 1

The code you posted has some significant security issues:

• A user can simply disable Javascript to prevent being redirected.
• A user can simply add ?register.php to the URL to avoid triggering the redirect code.

Instead, use a server-side session variable check. If a 'logged in' flag is not set within the session, then you redirect to the login page.

This has 2 massive advantages:

1. the logged in state is kept somewhere where the user can't do anything to manipulate it, EXCEPT by logging in
2. If a malicious user just trashes the session cookie, they'll just get a new blank session and be considered "not logged in", and just get redirected again anyways.

Answer 2

I wouldn't use JavaScript for the redirect, do it with php.

Second do this logic instead:

if(!($_SESSION["loggedin"]== 1))
{
    if(!(stripos($url,'register.php')))
    {
        header('Location: http://example.com/wp-login.php', true, 302);
        exit;
    }
}