I run a WordPress website and recently started taking safety measures, considering spike in attack attempts.
I have implemented Zero trust for the wp-login.php and WAF rules for bellow:
block access to xmlrpc.php if referrer doesn’t contain domain.
Please suggest me the best way to further block access to
/wp-admin/admin-ajax.php
I see the automatic block by WAF managed rules set to attempts on executing scripts on other php files.
If I block access to wp-content / wp-includes if referrer doesnt include
1 Like
admin-ajax.php
is weird. It’s in wp-admin
but it’s called from the front-end as well as the back-end. You can’t really block access to it or it will break a lot of things, including plugins like Woocommerce, infinite scroll plugins, and so forth.
Regular browsers using the site need to have access to that path. You really can’t block it.
2 Likes
So how would you block access to wp-admin folder while allowing access to that specific file in the wp-admin folder?
This /wp-admin/admin-ajax.php file is a frequently requested file in WordPress. I also tried to protect it in Cloudflare. At present, the best way I have concluded is to use the browser UA for limited protection, such as: Chrome, Edge, Firefox and other mainstream browsers The latest version of UA is used as a judgment condition. Those who do not meet the conditions are required to be verified by real people. Complex conditions skip custom rules or security verification rules. Of course, in order to reduce the impact on the user’s browsing experience, the mainstream browser versions can retain 2-3 best. After all, real visitors rarely use browser versions that are too old.