Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Please stop password protecting your /wp-admin folder because it breaks public AJAX for WordPress.

This entry was posted in Wordfence, WordPress Security on May 7, 2014 by Mark Maunder   14 Replies

There are many helpful articles like this one that explain how to add “another level of security” to your website by password protecting access to the /wp-admin folder.

The trouble with doing this is that you break ALL ajax in WordPress for non-logged in users.

This page in the WordPress codex explains how plugin developers should implement ajax. Specifically:

Note 2: Both front-end and back-end Ajax requests use admin-ajax.php

Remember, admin-ajax.php lives in /wp-admin/admin-ajax.php.

So by password protecting that directory you’re blocking access to that script which means that all publicly accessible AJAX functionality for WordPress breaks.

Every week I get an email or two from someone who has password protected this directory and wonders why a specific function in our plugin (that relies on a public ajax handler) doesn’t work and I have to explain the above.

 

Did you enjoy this post? Share it!


2.36 (14 votes) Your rating:

14 Comments on "Please stop password protecting your /wp-admin folder because it breaks public AJAX for WordPress."

TenguTech May 8, 2014 at 4:12 am • Reply

Well, wouldn't it be easier if WordPress moved the non-admin ajax out of the /wp-admin/ directory?

mark May 9, 2014 at 10:43 am • Reply

Yes agreed, but that's a huge change that comes with it's own challenges.

Regards,

Mark.

Rishi May 12, 2014 at 6:47 am • Reply

Hi,

Just curious what Wordfence uses this Ajax for. I password protected my wp-admin folder (on my test site) for security reasons, and prefer it to stay this away depending on what Wordfence needs to do. The admin-ajax.php is not currently accessible, so every page has a /wp-admin/admin-ajax.php?action=wordfence_logHuman&... request that is currently not accesible.

My question is: Do I need to keep this and what is the advantage, because my test blog seems to work OK without it (for non-admin users).

Of course as it is most likely needed, we are checking to see how to allow only that file, yet password protect the rest of the wp-admin folder.

Many thanks

TeeDev May 19, 2014 at 11:16 pm • Reply

The Wpbeginner article you linked to also contains an additional section which explains how to exclude admin-ajax.php from HTTP-AUTH, is that not working for you? It's worked for me for over a year and my ajaxified plugins work without issue for non-logged-in users.

Matt July 31, 2014 at 9:09 am • Reply

You can still password protect the admin. Just allow access to admin-ajax in the wp-admin .htaccess file with this rule:

Order allow,deny
Allow from all
Satisfy any

Donato Barragan May 22, 2015 at 6:35 am • Reply

Hello
Solved, adding at file public_html/wp-admin/.htaccess
Following lines:

# Allow plugin access to admin-ajax.php around password protection

Order allow,deny
Allow from all
Satisfy any

I don´t have more the problem, and the wp-admin folder continues protected.
Regards!

Krzysiek Dróżdż August 17, 2015 at 12:31 am • Reply

Well, if password protecting wp-admin breaks AJAX calls it means, that it's done incorrectly. You should always allow admin-ajax.php calls without password. And it's really easy to do - just add these lines to your .htaccess file:

Order allow,deny
Allow from all
Satisfy any

But asking people not to password protect wp-admin just because some of them do it wrong is a really bad advice. Especially if it comes from people involved in WordPress security...

Krzysiek Dróżdż August 17, 2015 at 12:32 am • Reply

Well, it should be:

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Kim June 6, 2017 at 6:39 am • Reply

THANK YOU! Huge help!

ian November 3, 2015 at 5:42 am • Reply

Hi, I would love to hear Mark's thoughts on protecting it, but with the exception for Ajax. Is it still a bad idea? Is it a worthless exercise? Or does it convey some hardening?

I don't know

Gabriel November 6, 2015 at 7:08 pm • Reply

Just password protect wp-login.php, problem solved

ian November 16, 2015 at 5:18 am • Reply

Hi, I did have that file password protected, but still I got hacked. Somehow, the toads managed to upload a fake French bank site to my wp-includes folder. All of that was before i found wordfence, and fortunately nothing bad since, but I did do a lot of reading after that, some of which Mark now says is a bad idea.
I now don't know what to do - I can see his point, but my ajax is working apparently fine with a wp-admin protected directory.
I guess I will take his advice, and remove that protection, but I am a bit nervous to do so!!

Daniel Crabbe June 19, 2017 at 3:14 am • Reply

I have to password protect wp-admin/ but allow permissions to admin ajax via .htaccess. Works fine. Its not so much actual hacks but the sheer volume of bots loading wp-login.php and trying to login.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.