How to Protect WordPress admin-ajax.php the best way without breaking things?

I run a WordPress website and recently started taking safety measures, considering spike in attack attempts.

I have implemented Zero trust for the wp-login.php and WAF rules for bellow:
block access to xmlrpc.php if referrer doesn’t contain domain.

Please suggest me the best way to further block access to
/wp-admin/admin-ajax.php

I see the automatic block by WAF managed rules set to attempts on executing scripts on other php files.

If I block access to wp-content / wp-includes if referrer doesnt include

1 Like

admin-ajax.php is weird. It’s in wp-admin but it’s called from the front-end as well as the back-end. You can’t really block access to it or it will break a lot of things, including plugins like Woocommerce, infinite scroll plugins, and so forth.

Regular browsers using the site need to have access to that path. You really can’t block it.

2 Likes

So how would you block access to wp-admin folder while allowing access to that specific file in the wp-admin folder?

This /wp-admin/admin-ajax.php file is a frequently requested file in WordPress. I also tried to protect it in Cloudflare. At present, the best way I have concluded is to use the browser UA for limited protection, such as: Chrome, Edge, Firefox and other mainstream browsers The latest version of UA is used as a judgment condition. Those who do not meet the conditions are required to be verified by real people. Complex conditions skip custom rules or security verification rules. Of course, in order to reduce the impact on the user’s browsing experience, the mainstream browser versions can retain 2-3 best. After all, real visitors rarely use browser versions that are too old.