How to Protect WordPress admin-ajax.php the best way without breaking things?

I run a WordPress website and recently started taking safety measures, considering spike in attack attempts.

I have implemented Zero trust for the wp-login.php and WAF rules for bellow:
block access to xmlrpc.php if referrer doesn’t contain domain.

Please suggest me the best way to further block access to

I see the automatic block by WAF managed rules set to attempts on executing scripts on other php files.

If I block access to wp-content / wp-includes if referrer doesnt include

admin-ajax.php is weird. It’s in wp-admin but it’s called from the front-end as well as the back-end. You can’t really block access to it or it will break a lot of things, including plugins like Woocommerce, infinite scroll plugins, and so forth.

Regular browsers using the site need to have access to that path. You really can’t block it.

1 Like

So how would you block access to wp-admin folder while allowing access to that specific file in the wp-admin folder?