admin管理员组文章数量:1417395
We are having some issues with an external developer.
We want to limit access to the wp-admin site to internal access only (via VPN). Simply so it will not be attacked by external users. We can enumerate the admins from the site and do not want them to be phished.
Our developer is saying we can't do that because the site needs to have the admin page accessible externally so the page will function. specifically the admin-ajax page.
What does the admin-ajax.php page do?
It is located in the admin section of WordPress. Is it accessed unauthenticated by end users? Is it an unsafe practice to have this available to external users?
We are having some issues with an external developer.
We want to limit access to the wp-admin site to internal access only (via VPN). Simply so it will not be attacked by external users. We can enumerate the admins from the site and do not want them to be phished.
Our developer is saying we can't do that because the site needs to have the admin page accessible externally so the page will function. specifically the admin-ajax page.
What does the admin-ajax.php page do?
It is located in the admin section of WordPress. Is it accessed unauthenticated by end users? Is it an unsafe practice to have this available to external users?
Share Improve this question edited Aug 31, 2016 at 17:47 Ethan Rævan 4,0295 gold badges27 silver badges55 bronze badges asked Dec 27, 2012 at 14:50 nicknick 2311 gold badge2 silver badges4 bronze badges 1 |3 Answers
Reset to default 15admin-ajax.php is part of the WordPress AJAX API, and yes, it does handle requests from both backend and front. Try not to worry about the fact that it is in wp-admin. I think that is a strange place for it too, but it is not a security problem in itself. How this relates to "enumerate the admins", I don't know.
For unauthenticated and untrusted users, you'll want to make two specific exceptions to your VPN / Firewall / Apache .htaccess, which are:
example/wp-admin/admin-post.phpexample/wp-admin/admin-ajax.php
These are two auto-magic endpoints used by a lot by both internal WP and also various plugins.
Here's some explanation of what admin-post.php does:
- https://www.sitepoint/handling-post-requests-the-wordpress-way/
admin-ajax.php works in a very similar way, and a helpful explanation is here.
If you want to limit access to the WP backend (ex: wp-admin), just use a .htaccess rule on the wp-admin directory.
Check out this article for a general overview: Password Protect a Directory Using .htaccess
Also check out this topic for your specific case: Password protecting /wp-admin/
本文标签: How does adminajaxphp work
版权声明:本文标题:How does admin-ajax.php work? 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745271247a2650905.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
ajax-admin.phphandles.. ajax requests. Please clear your title up and the question in general, wordpress.stackexchange/faq – Wyck Commented Dec 27, 2012 at 15:49