[wp-hackers] wp-admin folder and admin-ajax.php

Gavin Pearce Gavin.Pearce at 3seven9.com
Wed Aug 11 09:14:44 UTC 2010

Thanks Westi!

Out of interest then, and in that case - how would you personally best
handle non-auth, front-end, AJAX (and then having access to the various
WP instances/classes/DB) without hooking into the WordPress AJAX
function at admin-ajax.php?

All the main guides seem to point towards using admin-ajax ...



-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Peter
Sent: 11 August 2010 09:53
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] wp-admin folder and admin-ajax.php

On 9 Aug 2010, at 14:54, scribu wrote:

> On Mon, Aug 9, 2010 at 4:27 PM, Gavin Pearce
<Gavin.Pearce at 3seven9.com>wrote:
>> Does anyone know of any plans or discussions, regarding a
>> "configuration" option for moving the wp-admin folder? Is it in the
>> pipeline?
> No discussions that I'm aware of.

Highly unlikely.

>> Working on hardening a WordPress install for a security conscious
>> client, I can't IP restrict the wp-admin folder, because
>> is sometimes required by the front-end. Seems a strange idea to me!
>> (Obviously ways around this, just seems a strange way of doing things
>> maybe someone can explain why?).
>> Can't find a ticket open for either of the above, but maybe I'm being
>> blind!
> A front-end ajax handler has been proposed before:
> http://core.trac.wordpress.org/ticket/12400

We toyed for a very short time with a front end ajax handler and the
problem is that for significantly important security reasons we send
different cookies for front end page views than we do for admin ones.

Basically on the front end we have a cookie to say that you are logged
in but that doesn't actually authorise you to perform any actions and
for the admin we have the authorisation cookie.

This makes it much easier to ensure that a site is well protected
against XSS issues allowing people to steal your cookies.

If you have a plugin that is using admin-ajax for something which
doesn't require authentication then it should likely be rewritten to not
require access to admin-ajax otherwise you want it to use it for the
improved security.


Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5

wp-hackers mailing list
wp-hackers at lists.automattic.com

More information about the wp-hackers mailing list