I’m working with a setup where my WordPress installation is in a subfolder and I need to access preview content from a separate PHP file outside the WordPress directory.
My folder structure looks like this:
site.com/wp/ --WordPress installation
site.com/external-preview.php --custom preview handler
In my external file, I’m loading WordPress using wp-load.php and can successfully retrieve published content. I can also create queries for draft posts, but when I try to access preview URLs from outside the WordPress folder, the system blocks access.
For example, when I visit:
site.com/external-preview.php?preview=true&preview_id=123&preview_nonce=abc123def&post_format=standard
I get the error message: “You do not have permission to preview drafts”
What permissions or checks is WordPress performing that prevents external files from accessing preview content? Is there a way to properly authenticate or bypass these restrictions when using wp-load.php from outside the WordPress directory?
WordPress preview authentication fails because it relies on session cookies and the correct request context. When attempting to access previews via an external file, the authentication state is lost, even if wp-load.php is included. I’ve experienced this issue as well. The preview system depends on three factors: user login status, edit permissions for the specific post, and nonce verification. Since your external script operates outside of WordPress’s standard request flow, this creates complications. To resolve this, implement session handling in your external file. After loading wp-load.php, check if the user is logged in with is_user_logged_in() and verify their editing capabilities using current_user_can(‘edit_posts’). Ensure that cookies are properly transmitted to maintain the session. Alternatively, you might consider creating a custom parameter handler in your theme’s functions.php to manage preview requests while preserving WordPress’s authentication context.
WordPress throws that preview permission error because it checks user capabilities and nonce tokens when accessing draft content. Loading wp-load.php isn’t sufficient; the preview system verifies the ability to edit that specific post.
I encountered this issue myself. WordPress checks for the edit_post capability and verifies the nonce, but your external file lacks the same session context as the admin area where the preview link was generated.
To resolve this, ensure the user is properly authenticated before accessing preview content. After including wp-load.php, utilize current_user_can(‘edit_post’, $post_id) to check permissions and wp_verify_nonce() to validate the nonce. If authentication fails, redirect users to log in through WordPress first.
Alternatively, consider creating a custom endpoint within WordPress using add_action hooks instead of relying on an external file, as this maintains the proper authentication context.
WordPress blocks draft access without proper wp_verify_nonce and user auth. Set up cookie handling in your external file or use wp_set_current_user() after loading wp-load (if you’ve got valid user data). Ran into this same issue myself.