Pages freed from authentication

Usage The plugin will skip session validation for pages and query string parts entered here. It does so by checking whether or not each of individual entries in the Pages Blacklist occurs in the current request uri. For example, the wp-login.php entry in this list makes it possible that you can still navigate to the default WordPress login page and logon using a WordPress-only account, because the wp-login-php is blacklisted and hence when you navigate to that page, the plugin will cancel it’s validation routine.

Still allowing access to the (default) WordPress login form (e.g. /wp-login.php) is good practice because

  • It allows for both Office 365 users and WordPress-only accounts to sign into your website
  • It also permits administrators to still be able to navigate to the WordPress Admin area when the plugin is not working as expected or the Microsoft login service is not available.

When you change the Authentication scenario to Internet, the Pages Blacklist will disappear (professional, premium and intranet version only) and instead you can configure Private Pages. The other way around, the Pages Blacklist will re-appear when you change the Authentication Scenario back to Intranet.


  • Click "+" after you added a new value to the list.
  • Please be aware that excluding pages and query strings can potentially create security holes. To understand this, consider the case where you’d like to exclude an API with ?api=push and therefore you would add api as an entry to your Pages Blacklist. Now somebody could come and randomly add ?api to any page to disable authentication for that page. The plugin has implemented therefore a few measures to prevent misuse and if you would have entered api instead of ?api the plugin will assume you’d wanted to exclude a page instead and will automatically change the entry in the Pages Blacklist to /api. Obviously, this is not what you intended, but it prevents unwanted or even anonymous users from access your pages and data.

Default value Normally, there should not be a reason for you to change the default values:

  • /login/
  • admin-ajax.php
  • wp-cron.php
  • xmlrpc.php
  • /wp-login.php

unless you’re using

  • A customized login page
  • e-commerce plugins e.g. woo-commerce
  • custom plugins that provide APIs
  • other applications that call the WordPress REST API

Versions ALL

Visit the website

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us