I’m working with a setup where my WordPress installation is in a subfolder and I need to access preview functionality from an external PHP file. Here’s my current structure:
site.com/wpinstall/ -- WordPress files here
site.com/external-preview.php -- my custom preview handler
I’m loading WordPress using wp-load.php in my external script and can successfully retrieve published content. I also know how to query for draft posts, but when preview parameters are passed to my external script, WordPress blocks access with a permission error.
For example, when I visit:
site.com/external-preview.php?preview=true&preview_id=88&preview_nonce=3a5b92e7f1&post_format=standard
I get the error message: “You do not have permission to preview drafts”
This happens because wp-load.php performs some kind of permission check that fails when called from outside the WordPress directory. What specific checks does WordPress perform for preview requests? How can I properly handle preview authentication in my external script?
Your permission error is coming from the preview nonce validation. WordPress creates these nonces with specific context - current user state and request environment. Loading wp-load.php from an external script changes the authentication context, so WordPress rejects preview requests. I hit this same problem building a custom preview system. You need to manually validate the preview nonce using wp_verify_nonce() with the right action parameter. For previews, use ‘post_preview_’ + the post ID. Check the nonce first: wp_verify_nonce($preview_nonce, ‘post_preview_’ . $post_id). If it validates, skip WordPress’s standard preview permissions and query the post revision data directly instead of using the built-in preview functions.
hey, make sure the user has draft permissions. right after including wp-load.php, use wp_set_current_user(). next, check if current_user_can('edit_post', $post_id) returns true. also, handle auth cookies properly or it’ll block ya.
WordPress preview breaks because it needs authenticated sessions and proper cookies. When you load wp-load.php from an external script, you’re killing the auth state. I hit this same problem building a headless preview system. You need to rebuild the authentication context before trying to access previews. Manually handle the WordPress auth cookies - both auth and secure_auth. After including wp-load.php, parse those cookies and use wp_validate_auth_cookie() to restore the user session. WordPress also checks referrer and other environmental stuff during preview requests. Try using wp_create_nonce() to generate fresh preview nonces from your external script, or just skip the preview system entirely and query post revisions directly with get_post() using the revision ID.