By configuring a whitelisted admin-ajax.php file you can add an additional layer of security to your wp-admin folder. Utilising this form of authentication can make a big security difference.
Out there, it’s better safe than sorry, because generally speaking, too much of the time sorry means you’ve been hacked.
Security is one of the most overlooked factors amongst beginner bloggers. In an unsupervised WordPress installation there are quite a number of potential vulnerabilities. We have added links at the bottom of this post to pages that you really should read.
Whitelisted admin-ajax.php Explained
Traditionally using a ‘normal’ basic authentication on the wp-admin folder will interfere with other users. By protecting only the parts that are necessary you can successfully cater to your users Ajax requirements and your needs as an administrator.
The WordPress Ajax handler script, admin-ajax.php is located in the wp-admin directory and needs to be whitelisted. Without whitelisting this file, password-protecting the admin area will break all Ajax functionality your site might be using on the frontend.
Preparation
An awareness of how to edit your files including creating new ones is required, if not familiar then please see the links below. If you are ready, then let’s begin.
Create and edit your htaccess file
Navigate to /path/to/wordpress/wp-admin/ and create your .htaccess file. Then cut & paste the following snippet (remember to save).
AuthType Basic AuthName "Auth Required" AuthUserFile /path/to/.htpasswd Require valid-userOrder allow,deny Allow from all Satisfy any
Read the HTPasswd Generator link below if you need help with creating usernames and their associated hashed passwords for your htpasswd file.
Be aware
Upgrading WordPress manually will remove the .htaccess file, make a note to yourself to replace the file after a successful upgrade.
In conclusion
Once in place you will be asked (at least once per session) till you quit your browser for the username & password before being allowed to view the login page. If you believe this is tedious, weigh up the inconvenience of hours, days, weeks rebuilding your hacked site from scratch.
Further Reading
- Hardening WordPress (codex.wordpress.org)
- 15 Ways To Harden Security (wpengine.com)
- What is Ajax? (codex.wordpress.org)
- Whitelisting (en.wikipedia.org)
- Authentication and Authorisation (apache.org)
- HTPasswd Generator (web2generators.com)
