Securing a plugin pop-up window

Add some AJAX actions in your plugin file, something like this… The first one (without _nopriv) will already only be executed for logged in users, and the second will only be executed for logged out users, so there is no need to retest is_user_logged_in() here:

add_action('wp_ajax_show_popup_contents', 'show_popup_contents');
function show_popup_contents() {
    $filepath = dirname(__FILE__).'/popup.php';
    include($filepath); exit;
}

add_action('wp_ajax_nopriv_show_popup_contents', 'deny_popup_contents');
function deny_popup_contents() {
    wp_die("You need to be logged in to view these contents.");
}

Then set the popup URL to /wp-admin/admin-ajax.php?action=show_popup_contents

You probably want to also add if (!defined('ABSPATH')) {exit;} at the top of the included popup.php file so it cannot be accessed directly that way.

Related Posts:

  1. What are the common security flaws I need to look for? [closed]
  2. WordPress Capabilities: edit_user vs edit_users
  3. Where should my plugin POST to?
  4. Security error WP 4.0 + WP phpBB Bridge [closed]
  5. Should I use RIPS tool to test my themes and plugins?
  6. Escape when echoed
  7. wp_create_nonce function doesn’t work inside a plugin?
  8. I should enable automatic updates?
  9. Prevent direct access to WordPress plugin assets?
  10. How to prevent plugins from sniffing/stealing other plugins’ options?
  11. Security of a WordPress Plugin
  12. Help to Create a Simple Plugin to make a post
  13. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  14. wp_verify_nonce fails always
  15. Validating values using Settings API?
  16. Loading external page template and enqueue script from plugin causes 403 forbidden error
  17. Where the Nickname is being used in WordPress
  18. WordPress plugin from own server
  19. How to avoid plugin name conflicts from the upgrade notifier?
  20. Is their any way to Extend WPDB class and Overwrite the Default Query Function
  21. Add content to /wp-admin/plugin-install.php admin screens
  22. How to check plugins for malicious code?
  23. How to properly secure my WordPress installation?
  24. How do I only load a plugin js on it’s settings pages?
  25. Need a function for changing saved post_date or post_date_gmt to relative time in wordpress
  26. How can I include a setting that has a variable number of values in a settings page using register_setting?
  27. Activate Plugin which is in subfolder?
  28. Adding dynamic section to WordPress
  29. Use functionality of 2 wordpress plugins
  30. Autoload via composer in plugin interference
  31. Yoast SEO blocking/re-initialising longer running process
  32. Add Fields with Sub-Fields to WP Job Manager
  33. template_redirect not being called when using ajax
  34. Can WordPress plugins “Talk to each other”?
  35. How do I store information in a dynamic block in WordPress?
  36. Is there a way to alter the order in which the plugins appear in the page?
  37. How to correctly detect accessing wp-content/uploads?
  38. How to create custom embed block in gutenberg wordpress
  39. Plugin exceeds memory limit
  40. Find the URL of the current plugin directory
  41. How can sanitize $_FILES[‘haq_slider’] field
  42. How to trigger $_GET request within admin plugin page?
  43. Plugin Paths Issue
  44. How to generate video out of images via WordPress plugin
  45. WordPress plugin – Error “Plugin generate 2890 characters of unexpected output when activated”
  46. Woocommerce plugin for minimum order and add-to-card-step
  47. UnInstallation of a Plugin from a developers perspective – The correct and clean method
  48. Using a post-signup hook to get user details
  49. How to apply a patch via plugin?
  50. wp_remote_get() returns 403 while file_get_contents() does not
  51. How to set add question capability for author role in wp pro quiz plugin
  52. Malware installation during plugin update?
  53. Unable to delete custom post types, confusion around capabilities
  54. Getting wp.me shortlink for wordpress custom post type
  55. where is the main file in this plugin?
  56. Remove .htaccess portion upon plugin deactivation?
  57. Insert Array in Plugin Database
  58. First plugin, problem with get_pages
  59. Plugin onclick button activate other plugin
  60. Translation issue with global variables
  61. what is the point of telling add_filter how many parameters you want passed to the function?
  62. How to add category and subcategory in WordPress custom code?
  63. Structuring function with registration_errors hook
  64. Yoast SEO Plug In and my Theme duplicating code. Need some feedback on what to do? [closed]
  65. Should I use the action in the plugin’s main file?
  66. wp_query ‘s’ parameter does not work with WC_AJAX
  67. Monitor all the queriers executed by my website
  68. Dotenv file in custom plugin
  69. Allow a particular user to access a particular plugin?
  70. wordpress plugin add page when activate
  71. Validating ajax search
  72. Add style to body based on url
  73. Getting the same post on my related post
  74. I want to schedule email (date, time is in database->table) wp_schedule_event() not working
  75. How to remove WordPress Default Comment? not Facebook
  76. How to use Datatable with Ajax when creating plugin on WordPress?
  77. Loading plugin script only on required page?
  78. Create survey that redirects to sidebar menu customized to answers
  79. Hook to display element as product on category page
  80. Missing files in enqueue actions causes WordPress to reload
  81. I can’t use WP_Query
  82. Adding/ Removing actions for plugins
  83. Get input form data posted by users
  84. WP Plugin: Print javascript in header
  85. Custom Plugin: Point to `template_directory`
  86. Adding list of Indexes in wordpress document
  87. WP internationalization not loaded
  88. Plugin options not appearing on options page using tabbed navigation
  89. Create plugin with form in post and submit it to specific form
  90. Storing values in Post Meta vs new tables
  91. Add custom fields in the new and edit the site forms without touching the WP core
  92. Extend WordPress REST API with Scheme Pro Plugin
  93. How to submit the custom form data in database in WordPress without plugin?
  94. My WP site and password was hacked, what to do? [closed]
  95. map urls to plugins
  96. Embed php code in custom field of a plugin [closed]
  97. Why haven’t I see plugins using get_file_data to handle retrieving plugin version?
  98. How to add custom html to the Media > Attachment Details modal?
  99. manage_{taxonomy}_custom_column not working
  100. How to be Variables and options must be escaped when echo’d?