Url
Beta 1
This is the documentation for the AAM 7.0.0-beta.1 release. We are actively working on the documentation that may change before stable release announcement.
Syntax
Url:<path>Url:* - Premium FeatureUrl:/*/ - Premium Feature
Definition
Manage access to any individual URL or group of relative URLs (wildcard * denotation is available with premium add-on). Additionally, define how to handle access denied redirect when user tries to access restricted URL.
The Url resource accepts an absolute or a relative path to any page on your website. For instance, the full path to the "Authenticated User Only" page can be https://mydomain.com/category/authenticated-user-only, while the relative path is /category/authenticated-user-only.
This statements denies access to the above page:
{
"Statement": {
"Effect": "deny",
"Resource": "Url:/category/authenticated-user-only"
}
}
Provided URL may also contain query parameters (GET params). The order of params is irrelevant. AAM sorts them in ascending order before determining correct access privilege.
AAM also normalizes URL by trimming trailing forward slash / before evaluating for the match. For example, the /hello-world/ and /hello-world are identical.
Redirect
The Redirect property allows defining the redirect to a different page, URL or to display a custom message. The redirect happens before user tries to access restricted URL, so the end-user does not see the restricted content.
AAM support several redirect types as follows:
- Redirect to a different page by slug or id.
- Redirect to a different URL within the allowed hosts (AAM performs the safe redirect with the core WordPress function wp_safe_redirect).
- If restriction is meant for not-authenticated user, a redirect to the login page is available.
- Display WordPress core standard "WP Die" dialog with custom message.
- Trigger a callback function that performs redirect and halts further PHP execution with
exitordie; or returns a safe URL for AAM core to perform redirect.
You can set any 3xx HTTP status code with StatusCode property as recommended by MDN. The default status code is 307 (Temporary Redirect).
There are example of various redirects.
{
"Statement": {
"Effect": "deny",
"Resource": "Url:/members-only-page",
"Redirect": {
"Type": "page_redirect",
"Slug": "authentication-required",
"StatusCode": 301
}
}
}
{
"Statement": {
"Effect": "deny",
"Resource": "Url:/members-only-page",
"Redirect": {
"Type": "page_redirect",
"Id": 76,
"StatusCode": 307
}
}
}
{
"Statement": {
"Effect": "deny",
"Resource": "Url:/members-only-page",
"Redirect": {
"Type": "url_redirect",
"Url": "/different-page",
"StatusCode": 302
}
}
}
{
"Statement": {
"Effect": "deny",
"Resource": "Url:/members-only-page",
"Redirect": {
"Type": "custom_message",
"Message": "You are not allowed to be here"
}
}
}
{
"Statement": {
"Effect": "deny",
"Resource": "Url:/members-only-page",
"Redirect": {
"Type": "login_redirect"
}
}
}
{
"Statement": {
"Effect": "deny",
"Resource": "Url:/members-only-page",
"Redirect": {
"Type": "trigger_callback",
"Callback": "do_redirect_or_return_redirect_url_func"
}
}
}
FYI!
If HTTP status code is not provided, the default is 307 (Temporary Redirect).
Wildcard
You can configure targeting for multiple URLs or specific URL patterns using the wildcard * symbol. This functionality is exclusive to the premium add-on.
To apply restrictions to all URLs, use the Url:* resource. For example, the statement below denies access to all URLs except the homepage, effectively making your entire website private:
{
"Statement": [
{
"Effect": "deny",
"Resource": "Url:*"
},
{
"Effect": "allow",
"Resource": "/"
}
]
}
To protect specific groups of URLs, you can define patterns. For instance, the statement below restricts access to URLs under the /premium/ path:
{
"Statement": {
"Effect": "deny",
"Resource": "/premium/*"
}
}
This will match URLs such as /premium/courses or /premium/material/2025.
You can also use the * wildcard multiple times within the same resource path, such as /category/science*/premium/*.
Virtual Assistant