diff --git a/doc/api/hooks_server-side.md b/doc/api/hooks_server-side.md
index 0a4f95181..dd0b8599e 100644
--- a/doc/api/hooks_server-side.md
+++ b/doc/api/hooks_server-side.md
@@ -399,9 +399,6 @@ The handleMessage function must return a Promise. If the Promise resolves to
 `null`, the message is dropped. Returning `callback(value)` will return a
 Promise that is resolved to `value`.
 
-**WARNING:** handleMessage is called for every message, even if the client is
-not authorized to send the message. It is up to the plugin to check permissions.
-
 Examples:
 
 ```
@@ -444,10 +441,6 @@ The handleMessageSecurity function must return a Promise. If the Promise
 resolves to `true`, write access is granted as described above. Returning
 `callback(value)` will return a Promise that is resolved to `value`.
 
-**WARNING:** handleMessageSecurity is called for every message, even if the
-client is not authorized to send the message. It is up to the plugin to check
-permissions.
-
 Examples:
 
 ```
diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index f6d72764b..e311e9dbf 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -199,23 +199,6 @@ exports.handleMessage = async function(client, message)
     return;
   }
 
-  // Allow plugins to bypass the readonly message blocker
-  if ((await hooks.aCallAll('handleMessageSecurity', {client, message})).some((w) => w === true)) {
-    thisSession.readonly = false;
-  }
-
-  // Call handleMessage hook. If a plugin returns null, the message will be dropped. Note that for
-  // all messages handleMessage will be called, even if the client is not authorized
-  if ((await hooks.aCallAll('handleMessage', {client, message})).some((m) => m === null)) {
-    return;
-  }
-
-  // Drop the message if the client disconnected while the hooks were running.
-  if (sessioninfos[client.id] !== thisSession) {
-    messageLogger.warn("Dropping message from a connection that has gone away.")
-    return;
-  }
-
   if (message.type === "CLIENT_READY") {
     // client tried to auth for the first time (first msg from the client)
     createSessionInfoAuth(thisSession, message);
@@ -245,7 +228,21 @@ exports.handleMessage = async function(client, message)
     return;
   }
 
-  // access was granted
+  // Allow plugins to bypass the readonly message blocker
+  if ((await hooks.aCallAll('handleMessageSecurity', {client, message})).some((w) => w === true)) {
+    thisSession.readonly = false;
+  }
+
+  // Call handleMessage hook. If a plugin returns null, the message will be dropped.
+  if ((await hooks.aCallAll('handleMessage', {client, message})).some((m) => m === null)) {
+    return;
+  }
+
+  // Drop the message if the client disconnected during the above processing.
+  if (sessioninfos[client.id] !== thisSession) {
+    messageLogger.warn('Dropping message from a connection that has gone away.')
+    return;
+  }
 
   // Check what type of message we get and delegate to the other methods
   if (message.type === "CLIENT_READY") {