Skip to main content

PBJ Access Control Changelog (v2.2.0): REST Content Leak Sealed, User Guide Added

PBJ Access Control gates WordPress pages behind login, blocks WooCommerce for logged-out visitors (with an optional escape hatch for the registration form), customizes the restricted-content message, and adds an admin-approval workflow for new registrations — capturing each signup’s IP address and location so admins can triage from the User Approvals screen or straight from the notification email. Here’s the release history.

Version 2.2.0

  • Built-in User Guide — a new tab on Settings → Access Control covering page restriction, WooCommerce gating, the approvals workflow, verification, troubleshooting, and a quick reference. Also linked from the Plugins list row.

Version 2.1.0

  • Security: restricted content no longer readable via the REST API. Restricted pages’ content and excerpt are blanked in /wp-json/wp/v2/pages responses (and oEmbed) for logged-out requests — previously the full content was publicly readable there even though the page itself was blocked.
  • Security: restricted pages are excluded from front-end search results for logged-out visitors and emit noindex robots directives.
  • Fixed a caching edge: blocked responses send no-cache headers and hook PBJ SEO’s cacheable filter, so an edge cache can never store the 403 message as a public page — or serve a cached anonymous copy to a logged-in member.
  • Added: applicants receive an “account approved” email when approved, and expired approve/deny email links now show a clear notice instead of silently doing nothing.
  • Added: a pbj_access_control_post_types filter to restrict entries beyond Pages, and a pbj_access_control_login_redirect filter to send blocked visitors to the login form (with redirect back) instead of the 403 message.
  • Fixed: the message sanitizer no longer strips legitimate braces from message text — only CSS-shaped rules are removed.

Version 2.0.0

  • Full refactor: the single-file plugin was split into a bootstrap plus class files matching the rest of the PBJ plugin suite (orchestrator, frontend, admin, approvals, updater).
  • Signup IP + location capture. Every new registration records the signup IP and best-effort city/region/country, shown as columns on Users → PBJ User Approvals and included in the approval-notification email.
  • Self-hosted updater with an Update URI header that locks the slug — no risk of a same-slug WordPress.org plugin auto-replacing this one.
  • Settings schema versioning with an idempotent migration runner and a migration hook, plus a proper uninstall.php cleanup.
  • Fixed the WordPress 6.7+ early-textdomain notice.

Version 1.06.5

  • Fixed missing settings field callbacks that could fatal on activation; added safe-mode behaviors — hooks deferred to init, never blocks admin/AJAX/REST, editor fallback, and a CSS-bleed sanitizer for the restricted message.
July 4, 2026

PBJ Access Control gates WordPress pages behind login, blocks WooCommerce for logged-out visitors (with an optional escape hatch for the registration form), customizes the restricted-content message, and adds an admin-approval workflow for new registrations — capturing each signup’s IP address and location so admins can triage from the User Approvals screen or straight from the notification email. Here’s the release history.

Version 2.2.0

  • Built-in User Guide — a new tab on Settings → Access Control covering page restriction, WooCommerce gating, the approvals workflow, verification, troubleshooting, and a quick reference. Also linked from the Plugins list row.

Version 2.1.0

  • Security: restricted content no longer readable via the REST API. Restricted pages’ content and excerpt are blanked in /wp-json/wp/v2/pages responses (and oEmbed) for logged-out requests — previously the full content was publicly readable there even though the page itself was blocked.
  • Security: restricted pages are excluded from front-end search results for logged-out visitors and emit noindex robots directives.
  • Fixed a caching edge: blocked responses send no-cache headers and hook PBJ SEO’s cacheable filter, so an edge cache can never store the 403 message as a public page — or serve a cached anonymous copy to a logged-in member.
  • Added: applicants receive an “account approved” email when approved, and expired approve/deny email links now show a clear notice instead of silently doing nothing.
  • Added: a pbj_access_control_post_types filter to restrict entries beyond Pages, and a pbj_access_control_login_redirect filter to send blocked visitors to the login form (with redirect back) instead of the 403 message.
  • Fixed: the message sanitizer no longer strips legitimate braces from message text — only CSS-shaped rules are removed.

Version 2.0.0

  • Full refactor: the single-file plugin was split into a bootstrap plus class files matching the rest of the PBJ plugin suite (orchestrator, frontend, admin, approvals, updater).
  • Signup IP + location capture. Every new registration records the signup IP and best-effort city/region/country, shown as columns on Users → PBJ User Approvals and included in the approval-notification email.
  • Self-hosted updater with an Update URI header that locks the slug — no risk of a same-slug WordPress.org plugin auto-replacing this one.
  • Settings schema versioning with an idempotent migration runner and a migration hook, plus a proper uninstall.php cleanup.
  • Fixed the WordPress 6.7+ early-textdomain notice.

Version 1.06.5

  • Fixed missing settings field callbacks that could fatal on activation; added safe-mode behaviors — hooks deferred to init, never blocks admin/AJAX/REST, editor fallback, and a CSS-bleed sanitizer for the restricted message.

Latest Articles