By configuring a whitelisted
admin-ajax.php file you can add an additional layer of security to your
wp-admin folder. Utilising this form of authentication can make a big security difference.
Out there, it’s better safe than sorry, because generally speaking, too much of the time sorry means you’ve been hacked.
Security is one of the most overlooked factors amongst beginner bloggers. In an unsupervised WordPress installation there are quite a number of potential vulnerabilities. We have added links at the bottom of this post to pages that you really should read.
Whitelisted admin-ajax.php Explained
Traditionally using a ‘normal’ basic authentication on the
wp-admin folder will interfere with other users. By protecting only the parts that are necessary you can successfully cater to your users Ajax requirements and your needs as an administrator.
The WordPress Ajax handler script,
admin-ajax.php is located in the
wp-admin directory and needs to be whitelisted. Without whitelisting this file, password-protecting the admin area will break all Ajax functionality your site might be using on the frontend.
An awareness of how to edit your files including creating new ones is required, if not familiar then please see the links below. If you are ready, then let’s begin.
Create and edit your htaccess file
/path/to/wordpress/wp-admin/ and create your
.htaccess file. Then cut & paste the following snippet (remember to save).
AuthType Basic AuthName "Auth Required" AuthUserFile /path/to/.htpasswd Require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
Read the HTPasswd Generator link below if you need help with creating usernames and their associated hashed passwords for your
Upgrading WordPress manually will remove the
.htaccess file, make a note to yourself to replace the file after a successful upgrade.
Once in place you will be asked (at least once per session) till you quit your browser for the username & password before being allowed to view the login page. If you believe this is tedious, weigh up the inconvenience of hours, days, weeks rebuilding your hacked site from scratch.
- Hardening WordPress (codex.wordpress.org)
- 15 Ways To Harden Security (wpengine.com)
- What is Ajax? (codex.wordpress.org)
- Whitelisting (en.wikipedia.org)
- Authentication and Authorisation (apache.org)
- HTPasswd Generator (web2generators.com)