Site Lock: Force Login + Common Login/Registration Page

Build a single-file WordPress plugin that restricts the entire front-end website to logged-in users by redirecting non-authenticated visitors to a common login/registration page.

Core behavior:

• If a visitor is not logged in, redirect them to a designated "Access" page that contains both login and registration options.
• Restrict all front-end pages/posts/CPT archives/search etc. for logged-out users.
• Allow access to necessary endpoints to avoid breaking WP:
  • wp-login.php and wp-signup.php (multisite)
  • admin area should remain accessible only for logged-in users (WP already handles) but do not interfere with /wp-admin/ redirect loop; allow admin requests.
  • AJAX requests (admin-ajax.php) should not be redirected.
  • REST API requests should not be redirected (to avoid breaking blocks, oEmbed, etc.).
  • Allow wp-cron.php.
  • Allow assets requests (but typically WordPress handles). Avoid redirecting requests for files by checking extension for common static files.
• Provide a filterable whitelist of public URLs/paths (e.g. privacy policy, terms) via apply_filters.

Login/Registration page:

• On plugin activation, create a WordPress page titled "Access" (slug: access) if it doesn’t exist, with shortcode content.
• Provide a shortcode [p0_access_gate] that outputs:
  • If logged in: a simple message and link to home and a logout link.
  • If logged out: show wp_login_form() with redirect to the originally requested URL (passed as query arg "redirect_to").
  • Below login form, show a registration section:
    • If user registration is enabled (get_option('users_can_register')), show wp_registration_url() link and optionally embed a simple registration form handled by the plugin.
    • Implement an embedded registration form (username, email, password) with nonce and server-side validation, creating the user with wp_create_user, setting role to default, and then logging them in (wp_signon) and redirecting to redirect_to.
    • If registration is disabled, show a message telling admin to enable "Anyone can register".
• Use output escaping and nonces. Avoid exposing errors; show friendly messages.

Redirect mechanics:

• Hook into template_redirect.
• If !is_user_logged_in() and request is not whitelisted, redirect to the Access page URL with redirect_to query param set to the current full URL.
• Prevent redirect loop: if already on the Access page, do not redirect.
• If Access page is missing, fall back to wp_login_url($current_url).

Settings:

• Add a minimal Settings page under Settings → Site Lock.
  • Option to enable/disable site lock (default enabled).
  • Option to choose the Access page (dropdown of pages) or use auto-created one.
  • Option: allow the homepage for logged-out users (default off).
  • Option: allow specific pages (multi-select) to be public.
• Store options in a single option array.
• Sanitize all settings.

Misc:

• Provide activation/deactivation hooks:
  • Activation creates Access page.
  • Deactivation does not delete the page, but disables lock.
• Add p0_debug logs for key decisions only when WP_DEBUG is true? (But p0_debug is fine; keep minimal.)

Compatibility:

• Must work without any other plugins.
• Must be careful to not redirect API requests or cause infinite loops.