21

We are having some issues with an external developer.

We want to limit access to the wp-admin site to internal access only (via VPN). Simply so it will not be attacked by external users. We can enumerate the admins from the site and do not want them to be phished.

Our developer is saying we can't do that because the site needs to have the admin page accessible externally so the page will function. specifically the admin-ajax page.

What does the admin-ajax.php page do?

It is located in the admin section of WordPress. Is it accessed unauthenticated by end users? Is it an unsafe practice to have this available to external users?

Improve this question
1

4 Answers 4

Reset to default
14

admin-ajax.php is part of the WordPress AJAX API, and yes, it does handle requests from both backend and front. Try not to worry about the fact that it is in wp-admin. I think that is a strange place for it too, but it is not a security problem in itself. How this relates to "enumerate the admins", I don't know.

Improve this answer
3
  • would you recommend moving the wp admin page from being externally available? and do you know if doing so would disrupt anything with the ajax admin?
    – nick
    Commented Dec 27, 2012 at 16:38
  • I am not 100% sure what this means but if you require that access to files in wp-admin be from your VPN's IP, then yes that should mess up AJAX. AJAX calls are from the user's browser so come from the user's IP.
    – s_ha_dum
    Commented Dec 27, 2012 at 16:52
  • 1
    Can you explain why, specifically, it is not a security problem for us n00bs? Otherwise, decent answer.
    – daaxix
    Commented Apr 28, 2015 at 18:53
8

For unauthenticated and untrusted users, you'll want to make two specific exceptions to your VPN / Firewall / Apache .htaccess, which are:

  • example.com/wp-admin/admin-post.php
  • example.com/wp-admin/admin-ajax.php

These are two auto-magic endpoints used by a lot by both internal WP and also various plugins.

Here's some explanation of what admin-post.php does:

admin-ajax.php works in a very similar way, and a helpful explanation is here.

Improve this answer
4

If you want to limit access to the WP backend (ex: wp-admin), just use a .htaccess rule on the wp-admin directory.

Check out this article for a general overview: Password Protect a Directory Using .htaccess

Also check out this topic for your specific case: Password protecting /wp-admin/

Improve this answer
1
1

My personal opinion is that this is a god awful idea. About two months ago our director of development insisted we do just this, much against the advice of the Dev team. It's a genuine nightmare and an incredible pain for us, not only does it kill ajax all together it presents so many administration issues for us.

We have 40 regular staff and 4 devs trying to use the vpn at times and it just stutters, along with that all users now require two sets of passwords one for wp and one for vpn and that's not just a shared password it's individual ones, I mean how else would you do a security audit. It's hard enough to remember one secure password, let alone two.

Add to the issue that a lot of people do not know how to use a vpn and often that just causes more issues.

Ultimately it's a terrible idea and it's often put forward by management or higher who do not know or understand WordPress. They see it in a terrible light, that because it's open source it must also be a security issue, filled with easily tapped exploits and so on.... its getting old.

WordPress is secure and sticking wp-admin behind a vpn is not only fear mongering it presents a nightmare for every member of the team

Why is it that management types have no trust when it comes to WordPress, they seem to forget major sites use WordPress and don't use vpns, look at mashable for example.

So to recap:

Ajax won't work behind a vpn.

Vpn is a terrible idea for reasons mentioned above

WordPress is secure and will remain so if you keep it and plugins up to date.

Listen to your Dev, you pay them for their expertise. I can promise you, that nothing undermines a working relationship like not putting your trust into an individual and having to check up on their knowledge.

If you do go with vpn, be sure to buy enough user licenses.

Improve this answer
3
  • 14
    I don't have enough points to downvote you yet, but I would if I did. You go on a rant about trusting your developers, but nowhere do you say 1) what it does, or 2) why it is ok in wp-admin. I'm not impressed with this answer.
    – daaxix
    Commented Apr 28, 2015 at 18:52
  • 2
    Vulnerable plugins can be exploited with admin-ajax.php depending on how the plugin is developed. Many plugins do not undergo static or dynamic code analysis for vulnerability testing. WordPress core is also constantly fixing vulnerabilities. If you follow WordPress security guidelines, which include hardening like restricting wp-admin, keeping everything up-to-date, and limiting the plugins you install, your exposure is more limited. You are not, however, 100% secure.
    – tacotuesday
    Commented Aug 26, 2019 at 20:33
  • 1
    Well WP has a horrible track concerning security. Mostly due to bad plugins, but also in the core. And due to its popularity, there are lots of bots that just scan the WWW and hack as many wp sites as they can. There are other open source projects that do a way better job at security. I like wordpress, it's easy to setup and I think its perfectly fine for blogs and small sites. But using it for stuff like online shops that store sensible data like credit cards is really a bad idea. Simply blocking access to /wp-admin might not be a good idea, but you should definitely worry about security.
    – Gellweiler
    Commented Mar 26, 2020 at 18:30

Not the answer you're looking for? Browse other questions tagged or ask your own question.