Members-Plugin-Fix-Documentation
Members Plugin Private Site Fix
Issue Summary
This document provides a solution for maintaining the use of the Members plugin (not MemberPress) with the Private Site feature enabled, while preventing users from being unexpectedly logged out. The fix has been tested on a Pantheon multi-dev environment and resolves issues with the "Upload Top Agents" page and favicon loading.
Root Cause Analysis
The root cause of the logout issue stems from WordPress's handling of HTTP status codes, specifically 404 (Not Found) and 302 (Found) responses. WordPress doesn't always handle these status codes cleanly, which can interfere with session cookie persistence, particularly when combined with edge caching mechanisms on platforms like Pantheon.
Technical Background
- 404 Status Codes: When WordPress encounters a missing resource (CSS, JS, images, etc.), it may not properly handle the 404 response in relation to authentication checks
- 302 Redirects: Temporary redirects can disrupt the authentication flow, especially when the Members plugin's Private Site feature is active
- Edge Caching: Pantheon's edge caching can amplify these issues by serving cached 404/302 responses that bypass proper authentication checks
For more information on HTTP status codes and their proper handling:
Solution
The fix involves creating a Must-Use (MU) plugin that intercepts the Members plugin's authentication redirect logic and adds intelligent path checking to prevent unnecessary redirects for static assets and other non-content requests.
Installation Instructions
-
Copy the Plugin: You can obtain the plugin file in one of two ways:
- From Pantheon Multi-Dev: Copy
members-plugin-fix.phpfrom the pantheonsa multi-dev environment at:/wp-content/mu-plugins/members-plugin-fix.php - From Code Below: Create a new file with the plugin code provided in the "Plugin Code" section
- From Pantheon Multi-Dev: Copy
-
Upload to Your Site:
- Copy the
members-plugin-fix.phpfile to your branch'swp-content/mu-plugins/directory
- Copy the
-
Configure Path Variables (if needed):
- The
$skip_due_to_pathvariable may need adjustment if there are additional file extensions to be considered.
- The
Plugin Code
<?php
/**
* Prevent Members' Private Site from redirecting static or broken asset requests.
* Solves logout issues on Pantheon when requesting missing CSS/JS/etc.
*/
add_action('plugins_loaded', function () {
if (! function_exists('members_get_setting')) {
return;
}
remove_action('template_redirect', 'members_please_log_in', 0);
add_action('template_redirect', function () {
$request_uri = $_SERVER['REQUEST_URI'] ?? '';
// Bypass redirect if accessing an asset-like path
$skip_due_to_path = preg_match('#\.(css|js|jpg|jpeg|png|gif|webp|ico|woff2?|ttf|eot|svg)(\?.*)?$#i', $request_uri)
|| str_starts_with($request_uri, '/node_modules/')
|| str_starts_with($request_uri, '/wp-content/themes/')
|| str_starts_with($request_uri, '/wp-content/plugins/');
if (
members_get_setting('private_blog') &&
! is_user_logged_in() &&
! is_admin() &&
! is_feed() &&
! is_404() &&
! $skip_due_to_path
) {
auth_redirect();
}
}, 0);
});
How the Fix Works
- Plugin Detection: The code first checks if the Members plugin is active by verifying the
members_get_setting()function exists - Remove Original Logic: It removes the default Members plugin redirect action
- Smart Path Detection: It implements intelligent path checking to identify static assets and other non-content requests
- Conditional Redirect: Only redirects to login when:
- Private blog is enabled
- User is not logged in
- Not in admin area
- Not a feed request
- Not a 404 page
- Not accessing a static asset or specific path
Understanding the $skip_due_to_path Variable
The $skip_due_to_path variable contains a comprehensive set of patterns that determine which requests should bypass the Members plugin's authentication redirect. This variable is crucial for preventing unnecessary redirects that could cause logout issues.
Current Patterns Included:
File Extensions (using regex):
.css,.js- Stylesheets and JavaScript files.jpg,.jpeg,.png,.gif,.webp- Image files.ico- Favicon files.woff,.woff2- Web fonts.ttf,.eot- Font files.svg- Scalable vector graphics
Directory Paths:
/node_modules/- Node.js dependencies/wp-content/themes/- WordPress theme files/wp-content/plugins/- WordPress plugin files
Why Additional Extensions May Need to be Added:
If your site uses additional file types that are not currently covered by the regex pattern, you may experience logout issues when those files are requested. Common file types that might need to be added include:
- Additional Image Formats:
.avif,.bmp,.tiff - Video Files:
.mp4,.webm,.mov - Audio Files:
.mp3,.wav,.ogg - Document Files:
.pdf,.doc,.docx - Archive Files:
.zip,.tar,.gz - Data Files:
.json,.xml,.csv
To add new file extensions, modify the regex pattern in the $skip_due_to_path variable:
$skip_due_to_path = preg_match('#\.(css|js|jpg|jpeg|png|gif|webp|ico|woff2?|ttf|eot|svg|avif|mp4|pdf)(\?.*)?$#i', $request_uri)
Important: Only add file extensions that are truly static assets and don't require authentication. Avoid adding extensions for dynamic content or files that should be protected by the Private Site feature.
Testing Results
The fix has been tested and verified to work correctly in the following scenarios:
- ✅ Upload Top Agents Page: Successfully tested on Pantheon multi-dev environment
- ✅ Favicon Loading: Resolved initial favicon loading issues
- ✅ Session Persistence: Login cookies now persist correctly without unexpected logouts
- ✅ Static Asset Loading: CSS, JavaScript, and image files load without triggering authentication redirects
Configuration Notes
- The
$skip_due_to_pathvariable uses regex patterns to match file extensions and specific path prefixes - You may need to adjust these patterns based on your site's specific asset structure
- The fix is designed to be non-intrusive and only affects the authentication redirect logic