draikhin this policy will do the trick:
Note! This policy works only with Plus Package add-on because it uses the URI wildcard. You can avoid using Plus Package, however, in this case, you would need to define each URI one-by-one instead of using the wildcard URI:\/*.
{
"Version": "1.0.0",
"Dependency": {
"wordpress": ">=5.2.2",
"advanced-access-manager": ">=6.0.3",
"aam-plus-package": ">=5.0.1"
},
"Statement": [
{
"Effect": "deny",
"Resource": [
"URI:\/*",
"URI:\/"
],
"Metadata": {
"Redirect": {
"Type": "login"
}
}
},
{
"Effect": "allow",
"Resource": "URI:\/wp-login.php"
}
]
}
The first statement restricts access to all the pages on the website URI:\/* including the homepage URI:\/. When a visitor tries to access any of the pages on the website, he/she is redirected to the WP standard login page.
The second statement explicitly allows the /wp-login.php page so the visitor can login and upon successful authentication, he/she will be redirected back to the page he/she tried to access in the first place.
Note! If your login page is not a default WP login /wp-login.php, then you need to define "Redirect To Existing Page" as mentioned on this page https://aamplugin.com/reference/policy#uri. Then, in the second statement, allow your page to be accessed.
Go to AAM page and on the "Access Policies" tab click on + Create. Give a reasonable name for your policy, copy & paste the JSON policy mentioned above and attach it to Visitiros. This will do the magic.
