BugWP logo BugWP
Back to Community
Home / Community / PluginSecurity optimizer – the all-in-one protection plugin

How to Whitelist Files and Plugins in Security Optimizer's Lock and Protect Feature

38 threads Sep 16, 2025 PluginSecurity optimizer – the all-in-one protection plugin

Content

One of the most powerful features of the 'Security Optimizer – The All-In-One Protection Plugin' is the Lock and Protect System Folders option. It enhances your site's security by preventing the execution of unauthorized scripts from critical WordPress directories like wp-content, wp-includes, and wp-admin.

However, this robust protection can sometimes be too restrictive. Certain legitimate plugins may require direct access to a specific PHP file to function correctly, such as for processing AJAX requests or generating export files. When this happens, the plugin's functionality breaks, leaving site owners with a difficult choice: disable a key security feature or lose plugin functionality.

Why This Happens

The 'Lock and Protect System Folders' feature works by placing .htaccess rules inside your WordPress system folders. These rules block direct access to files within them. If a third-party plugin is designed to be accessed directly (e.g., example.com/wp-content/plugins/a-plugin/includes/ajax-file.php), it will be blocked by these security rules, resulting in a 403 Forbidden error.

The Solution: Using the Built-in Whitelist Filter

Thankfully, the Security Optimizer plugin provides a filter to whitelist specific files, allowing them to bypass the lock. This is the recommended and safest way to resolve the conflict without completely disabling the security feature.

Step-by-Step Guide:

  1. Identify the Problematic File: Use your browser's developer tools (Network tab) or check your plugin's documentation to find the exact filename that is being blocked (e.g., export-data.php).
  2. Add the Filter to Your Theme's functions.php: You will need to add a small code snippet to your website. It is highly recommended to use a code snippets plugin or a child theme's functions.php file to avoid losing changes when your theme updates.

    Here is the basic code structure:
    add_filter( 'sgs_whitelist_wp_content', 'whitelist_my_custom_file' );
function whitelist_my_custom_file( $whitelist ) {
    // Add your filename(s) to the array
    $whitelist[] = 'export-data.php';
    $whitelist[] = 'ajax-handler.php';
    return $whitelist;
}
  3. Save and Test: After adding the code, save the file and clear your site's cache if you use a caching plugin. Test the functionality of your plugin to see if it now works correctly.

Important Limitations to Understand

Based on community discussions, there are two key limitations to this whitelisting method:

  • Whitelisting is by Filename Only: The filter will whitelist the specified filename wherever it is found within the wp-content directory. If multiple plugins have a file with the same name (e.g., ajax.php), they will all be whitelisted. It is not currently possible to whitelist a file based on its full path (e.g., plugins/my-plugin/ajax.php).
  • No Folder Whitelisting: There is no available filter to whitelist an entire folder. Each individual file must be specified in the array.

Alternative .htaccess Method (Advanced Users)

For users who are comfortable with server configuration, an alternative is to modify the .htaccess file that the Security Optimizer plugin generates within the protected folder. You can add an exception rule for a specific file.

Example rule to allow access to a specific file:

<FilesMatch "^export-data.php$">
 <IfModule !mod_authz_core.c>
  Allow from all
 </IfModule>
 <IfModule mod_authz_core.c>
  Require all granted
 </IfModule>
</FilesMatch>

Warning: Be cautious when editing .htaccess files manually, as a syntax error can break your site. Furthermore, these changes may be overwritten if the Security Optimizer plugin rewrites its rules. The filter method is generally more sustainable.

Conclusion

The 'Lock and Protect System Folders' feature is a critical layer of security for any WordPress site. While it can occasionally conflict with other plugins, the provided sgs_whitelist_wp_content filter offers a flexible way to create necessary exceptions. By carefully whitelisting only the specific files you need, you can maintain a high level of security while ensuring all your site's functionality works in harmony.

Related Support Threads Support