The plugin will skip session validation for pages and query string parts entered here. It does so by checking whether or not each of individual entries in the Pages Blacklist occurs in the current request uri. For example, the wp-login.php entry in this list makes it possible that you can still navigate to the default WordPress login page and logon using a WordPress-only account, because the wp-login-php is blacklisted and hence when you navigate to that page, the plugin will cancel it’s validation routine.
Ps, When you change the Authentication Scenario to Internet, the Pages Blacklist will disappear (professional and premium version only) and instead you can configure Private Pages. The other way around, the Pages Blacklist will re-appear when you change the Authentication Scenario back to Intranet.
Normally, there should not be a reason for you to change this unless you’re using
- A customized login page
- e-commerce plugins e.g. woo-commerce
- custom plugins that provide APIs
- other applications that call the WordPress REST API
Important After you entered a new entry in the input box you must click “+” to add it. Also when you are entering just one line.
Allowing for both Office 365 users and WordPress-only accounts to sign into your website is recommended to allow (super) administrators to still be able to gain access to WordPress Admin area when the plugin is not working as expected.
Please be aware that excluding pages and query strings can potentially create security holes. To understand this, consider the case where you’d like to exclude an API with ?api=push and therefore you would add api as an entry to your Pages Blacklist. Now somebody could come and randomly add ?api to any page to disable authentication for that page. The plugin has implemented therefore a few measures to prevent misuse and if you would have entered api instead of ?api the plugin will assume you’d wanted to exclude a page instead and will automatically change the entry in the Pages Blacklist to /api. Obviously, this is not what you intended, but it prevents unwanted or even anonymous users from access your pages and data.