Changed: The “Force private” auth gate now works correctly when WordPress is installed in a subdirectory.
Changed: On activation the plugin now plants a small must-use companion (wp-content/mu-plugins/aioi-installing-gate.php); deactivation removes it. It closes a /wp-activate.php content-leak surface that the main plugin cannot reach on its own (see Fixed).
Changed: The post-login redirect URL is now sanitized and normalized when saved: a bare path such as dashboard is stored as /dashboard, while site-relative paths and full http(s) URLs are kept as entered.
Fixed: Fixed multiple access-control bypasses in “Force private” mode that allowed unauthenticated visitors to read protected posts and feeds via crafted URLs.
Fixed: Closed a content-leak on “Force private” sites where unauthenticated visitors could read protected posts, feeds, and REST output through /robots.txt by overriding its query string (for example /robots.txt?robots=0&feed=rss2 or ?robots=0&p=N).
Fixed: Fixed unauthenticated post-slug enumeration via WordPress’s canonical redirect on pretty permalinks.
Fixed: Closed an access-control bypass on “Force private” sites where unauthenticated visitors could post comments and trackbacks to protected posts via wp-comments-post.php and wp-trackback.php.
Fixed: Closed a content-leak on single-site (and non-network-activated multisite) “Force private” installs where unauthenticated visitors could read RSS feeds and REST API output through /wp-activate.php (for example ?feed=rss2, ?p=N&feed=comments-rss2, or ?rest_route=/wp/v2/posts). WordPress core skips loading regular plugins on wp-activate.php because of WP_INSTALLING, so the gate is now enforced from a must-use companion file.
Fixed: Closed a content-leak on “Force private” sites where unauthenticated visitors could read the site’s blogroll (the OPML links export), title, and WordPress version through /wp-links-opml.php, which loads WordPress without firing the normal page-render auth gate.
Fixed: Closed an access-control bypass on “Force private” sites where unauthenticated visitors could reach the AJAX and form-handler endpoints (/wp-admin/admin-ajax.php and /wp-admin/admin-post.php). WordPress treats these as admin requests, so the normal page-render auth gate did not apply to them — any public (“nopriv”) action registered by the active theme or another plugin would run for logged-out visitors even though the site is private, potentially exposing data or triggering actions that should require a login. Both endpoints now require a valid login.
Fixed: On “Force private” sites the REST API and comment/trackback gates now apply the same role and sub-site-membership checks as the rest of the site, so a logged-in user with no role (or who is not a member of the current sub-site) can no longer read REST API content or post comments that they would otherwise be blocked from.
Fixed: Additional “Force private” hardening: the inactivity auto-logout now bounces through a host-validated safe redirect instead of trusting the Host header, the network settings save now performs an explicit capability check, and the default sub-site member role is validated against the registered roles when saved.
Fixed: Minor robustness and standards fixes: the private-site robots.txt now includes a User-agent: * line, the plugin’s PHP files guard against direct access, and corrected an internationalization issue in a registration warning notice.
1.8.1
Changed: Compatibility with WordPress 6.9.
Fixed: Made sure the XMLRPC is also safeguarded against unauthorized access.
1.8.0
IMPORTANT: The minimum WordPress version is now WordPress v5.5.
IMPORTANT: The minimum PHP version is now PHP v7.0.
Added: Multisite-specific options: “Require logged-in users to be members of a sub-site to view it”.
Added: “Sub-site Membership” – assign a user role for newly added users.
Changed: Compatibility with WordPress 6.6.
Fixed: Several security-related improvements in various parts of the plugin.
Fixed: Code style improvements.
1.7.1
Security update and added WordPress 5.7 compatibility.
1.7
Security update and added WordPress 5.6 compatibility.
1.6
Security update and added WordPress 5.4.1 compatibility.
1.5
Ready for WP 4.9. Disables unauthenticated calls to WP REST API by default.
1.4
Now supports localization – please contribute your translations!
1.3
Changed which WordPress hooks are used to check for auto-logout. This is to widen compatibility with certain Themes.
1.2
On non-multisite WordPress, now restricts access to users who have no role, as well as those who aren’t logged in at all.
