Please stop password protecting your /wp-admin folder because it breaks public AJAX for WordPress.

There are many helpful articles like this one that explain how to add “another level of security” to your website by password protecting access to the /wp-admin folder.

The trouble with doing this is that you break ALL ajax in WordPress for non-logged in users.

This page in the WordPress codex explains how plugin developers should implement ajax. Specifically:

Note 2: Both front-end and back-end Ajax requests use admin-ajax.php

Remember, admin-ajax.php lives in /wp-admin/admin-ajax.php.

So by password protecting that directory you’re blocking access to that script which means that all publicly accessible AJAX functionality for WordPress breaks.

Every week I get an email or two from someone who has password protected this directory and wonders why a specific function in our plugin (that relies on a public ajax handler) doesn’t work and I have to explain the above.

 

Did you enjoy this post? Share it!

Comments

14 Comments
  • Well, wouldn't it be easier if WordPress moved the non-admin ajax out of the /wp-admin/ directory?

    • Yes agreed, but that's a huge change that comes with it's own challenges.

      Regards,

      Mark.

  • Hi,

    Just curious what Wordfence uses this Ajax for. I password protected my wp-admin folder (on my test site) for security reasons, and prefer it to stay this away depending on what Wordfence needs to do. The admin-ajax.php is not currently accessible, so every page has a /wp-admin/admin-ajax.php?action=wordfence_logHuman&... request that is currently not accesible.

    My question is: Do I need to keep this and what is the advantage, because my test blog seems to work OK without it (for non-admin users).

    Of course as it is most likely needed, we are checking to see how to allow only that file, yet password protect the rest of the wp-admin folder.

    Many thanks

  • The Wpbeginner article you linked to also contains an additional section which explains how to exclude admin-ajax.php from HTTP-AUTH, is that not working for you? It's worked for me for over a year and my ajaxified plugins work without issue for non-logged-in users.

  • You can still password protect the admin. Just allow access to admin-ajax in the wp-admin .htaccess file with this rule:

    Order allow,deny
    Allow from all
    Satisfy any

  • Hello
    Solved, adding at file public_html/wp-admin/.htaccess
    Following lines:

    # Allow plugin access to admin-ajax.php around password protection

    Order allow,deny
    Allow from all
    Satisfy any

    I don´t have more the problem, and the wp-admin folder continues protected.
    Regards!

  • Well, if password protecting wp-admin breaks AJAX calls it means, that it's done incorrectly. You should always allow admin-ajax.php calls without password. And it's really easy to do - just add these lines to your .htaccess file:

    Order allow,deny
    Allow from all
    Satisfy any

    But asking people not to password protect wp-admin just because some of them do it wrong is a really bad advice. Especially if it comes from people involved in WordPress security...

    • Well, it should be:

      <Files admin-ajax.php>
      Order allow,deny
      Allow from all
      Satisfy any
      </Files>

      • THANK YOU! Huge help!

  • Hi, I would love to hear Mark's thoughts on protecting it, but with the exception for Ajax. Is it still a bad idea? Is it a worthless exercise? Or does it convey some hardening?

    I don't know

  • Just password protect wp-login.php, problem solved

    • Hi, I did have that file password protected, but still I got hacked. Somehow, the toads managed to upload a fake French bank site to my wp-includes folder. All of that was before i found wordfence, and fortunately nothing bad since, but I did do a lot of reading after that, some of which Mark now says is a bad idea.
      I now don't know what to do - I can see his point, but my ajax is working apparently fine with a wp-admin protected directory.
      I guess I will take his advice, and remove that protection, but I am a bit nervous to do so!!

  • I have to password protect wp-admin/ but allow permissions to admin ajax via .htaccess. Works fine. Its not so much actual hacks but the sheer volume of bots loading wp-login.php and trying to login.