Loop on WordPress Login with Auth0 Plugin


I can not get the Auth0 WordPress Plugin to work as I like it to… At first, yes, it works. But when I set a special WordPress option, then no user can login anymore because the login results in a loop…

The “special” setting is… From the WordPress Dashboard change to “Settings” → “Reading” and then set “Site Visibility” to “Restrict site access to visitors who are logged in or allowed by IP address”. Then set “Handle restricted visitors” to “Send them to the WordPress login screen”…

Now if you visit the site the Auth0 Login appears. After signig in… it appears again and again and again…

Any workaround? Any idea?

Thank you,

Hi @michael.knigge … I don’t have that setting on my test WordPress version. Are you using a plugin for that? If so, which one? Happy to try and make our plugin play nicely!

Hi Josh,

yes… you’re right… These settings are “provided” by a Plug-In. I’ve forgot that… The Plugin is " Restricted Site Access" (see Restricted Site Access – WordPress plugin | WordPress.org)

Hope it’s easy for you to reproduce… It is a really nice plugin if you use WordPress as a private/internal site and force every user to authenticate before he/she can see anything on the Blog site…


I thought that setting sounded familiar … yes, that’s a solid plugin.

I’ll take a look on my end in the next day or so and see if there’s anything we can do without changing code on our end. If it does require a change, we’ve got a release coming out in about a month and I’ll make sure it’s in there.


This would be so great! Thank you!

@michael.knigge - I just took a look at this and I don’t think there’s anything we can do on our end without adding custom code just for this plugin (which is not a practice we want to get into). We use a custom callback URL to check for errors and log the user in, if the attempt at Auth0 was successful. That URL is just like any other URL for the plugin and it gets redirected before the Auth0 login can happen.

That said, it looks like there is a filter in the restrict access plugin you can use to pass the Auth0 request through, restricted_site_access_is_restricted. If you want to be cautious, you’ll want to check a few values (included below) but it is spoofable if someone suspects you’re using this (meaning, someone could see your homepage if they try hard enough):

 * Play nicely with Restricted Site Access.
 * @param bool $is_restricted - Original $is_restricted value
 * @param WP $wp - WP object.
 * @return mixed
function auth0_mu_hook_restricted_site_access_is_restricted( $is_restricted, $wp ) {
	if (
		! empty( $wp->query_vars['auth0'] )
		&& empty( $wp->query_vars['page'] )
		&& $_COOKIE['auth0_state'] === $wp->query_vars['state']
	) {
		return false;
	return $is_restricted;
add_filter( 'restricted_site_access_is_restricted', 'auth0_mu_hook_restricted_site_access_is_restricted', 100, 2 );

If this is just temporarily restricted (non-sensitive information, demoing a site, etc), you can remove the 2nd and 3rd check (will mean that any page with a non-empty auth0 URL param can see any page.

Thank you for having to look into this!