A minimal WordPress theme for sites that should not expose a public front-end. Visitors are redirected to the login screen or straight into the dashboard. RSS/Atom feeds, trackbacks, robots.txt, and oEmbed embed views are redirected the same way—only REST and related API entry points stay reachable without that redirect.
- Internal or tooling sites where the only goal is wp-admin and wp-login.php
- Headless or API-driven setups where you still need
/wp-json/and legacy query-style REST - Reducing accidental public HTML pages without maintaining a full theme
| Visitor | Result |
|---|---|
| Not logged in | Redirect to wp-login.php |
| Logged in | Redirect to the admin area (wp-admin/) |
Redirects run on template_redirect (priority 0), before normal theme templates load.
The theme skips redirects only for:
- WordPress REST API (
REST_REQUEST,wp-jsonin the URL,rest_routequery var) - WooCommerce legacy API (
wc-apiquery var)
All other front-end routes—including feeds, trackbacks, robots.txt, and embed URLs—redirect to login or admin like normal pages.
- Copy the theme folder into
wp-content/themes/only-admin/. - In Appearance → Themes, activate Only Login (or rename the theme in
style.cssto match this folder if you prefer).
functions.php— redirect logic and API-only exceptionsindex.php— empty fallback if a template is still loadedstyle.css— theme metadata (required by WordPress)
- This theme does not provide layouts, blocks, or front-end styling; it is a gate, not a marketing site.
- If you add custom webhooks or front-facing URLs that are not covered by the exceptions, extend the checks in
only_login_redirect_visitors()infunctions.php. - Requires a WordPress version that provides
wp_is_serving_rest_request()(WordPress 6.5+). On older versions, REST exclusions that rely on it may be incomplete; REST viarest_route/wp-jsonURI checks still apply.
GPL-2.0+ (same as WordPress unless your project uses a different license).