Admin restricted with IP but Ajax Calls on frontend is block

  • Dear WordPress Team,

    I am facing an issue when i am restricting the Admin panel (wp-admin) with IP than ajax calls from frontend side don’t work. As they are calling ‘wp-admin/admin-ajax.php’ file which is based on admin side and restricted with IP. Therefore, for frontend user ajax didn’t work.

    Any solution? As i have setup a website for a big company and my client is really need this. So i am stuck with this problem.

    I believe frontend stuff shouldn’t need to access backend stuff.

    Any Help please. Your kind support is highly appreciated.

Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to Fixing WordPress where it belongs and I’ve deleted your identical additional topics.

    How are you restricting IP addresses that can access the back end?

    Most AJAX requests in WordPress (especially prior to the release of the REST API) are made to wp-admin/admin-ajax.php. You’ll need to exclude this file from any restrictions you’ve put in place or AJAX requests by many plugins won’t work.

    • This reply was modified 6 years, 4 months ago by Jacob Peattie.
    Thread Starter asifriazkhan

    (@asifriazkhan)

    @jdembowski

    I am trying to restrict my admin panel (“wp-admin” folder) on single IP by using Network Firewall. By doing so, my ajax calls are not working for internet/website customer.

    Thread Starter asifriazkhan

    (@asifriazkhan)

    Dear @jakept,
    Thanks for your reply. But we need to restrict the wp-admin by using firewall as my client is running one of the leading company. So, they want to restrict the whole wp-admin folder. See my above message

    Is there any other way to pull out the functionality like wp-admin/admin-ajax.php and place it outside. So that our website customers don’t have problem in their ajax calling.

    Thanks in advance and your kind solving is highly appreicated.

    Ok I played around a bit and have something that might work. ideally you’d just ecxlude the file. It is, as you’ve experienced, typically necessary for the front-end to function. However, with some code you might be able to avoid the issue. To summarize, we will:

    1. Filter the admin_url() function so that any use of the function like admin_url( 'admin-ajax.php' ) will change the URL to a custom URL.
    2. Create a custom URL, https://website.com/ajax/, that we will use to replace the admin-ajax.php URL.
    3. Set it up so that requests to /ajax load the admin-ajax.php file.

    The problem you might have is that if a plugin is not using admin_url( 'admin-ajax.php' ) to create the AJAX URL, but doing something like admin_url() . 'admin-ajax.php' instead, then this won’t work for those plugins.

    So the code for #1 is:

    function asifriazkhan_ajax_url( $url, $path ) {
	if ( strpos( $path, 'admin-ajax.php' ) !== 0 ) {
		$url = site_url( '/ajax/' );
	}

	return $url;
}
add_filter( 'admin_url', 'asifriazkhan_ajax_url', 10, 2 );

    So now, any use of admin_url( 'admin-ajax.php' ) in a plugin will return https://website.com/ajax/.

    The next piece is these two functions:

    function asifriazkhan_ajax_rewrite_rule() {
	add_rewrite_rule( 'ajax/?$', 'index.php?asifriazkhan_ajax=1', 'top' );
}
add_action( 'init', 'asifriazkhan_ajax_rewrite_rule' );

function asifriazkhan_ajax_query_vars( $query_vars ) {
	$query_vars[] = 'asifriazkhan_ajax';

	return $query_vars;
}
add_filter( 'query_vars', 'asifriazkhan_ajax_query_vars' );

    With these bits of code https://website.com/ajax/ is now a valid URL, and will give us a custom query variable, asifriazkhan_ajax, which we can use to insert the AJAX functionality.

    So then the last bit of code is to check if the request is for https://website.com/ajax/ using our custom query variable. If it is, we will include admin-ajax.php so that it can handle the request:

    function asifriazkhan_ajax_include() {
	global $wp_query;

	if ( $wp_query->get( 'asifriazkhan_ajax' ) === '1' ) {
		include ABSPATH . '/wp-admin/admin-ajax.php';
		exit;
	}
}
add_action( 'template_redirect', 'asifriazkhan_ajax_include' );

    Now most, if not all, AJAX requests by plugins should be sent to – and handled by – https://website.com/ajax/, avoiding direct requests to admin-ajax.php, which should solve your problem.

    I’ve tested the code and it works, including for core WordPress AJAX functionality, but it depends on 3rd-party plugins doing their AJAX a certain way.

    Thread Starter asifriazkhan

    (@asifriazkhan)

    Dear @jakept

    Thanks for the detail message. Let me ask my team to implement it the way like you suggest to us then i will let you know either its works or not. Thanks man.

    Thread Starter asifriazkhan

    (@asifriazkhan)

    @jakept
    We have notice that the solution you have proposed it will just change the url but the call still goes to admin-ajax.php file.

    Any other solution? Can we make clone of this admin-ajax.php and put it outside wp-admin folder. So that for frontend user can easily call it instead to call the wp-admin/admin-ajax.php

    The admin-ajax.php file will still run, but only from the server. No front end requests are being made directly to the file via HTTP. How exactly are you restricting access to the file? Are you preventing it being run entirely?

    Hi @jakept, the solution you have suggested, it does not seem to work when wp-admin folder is completely blocked for public access, does the admin-ajax file needs to be accessible for it to work ?

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Admin restricted with IP but Ajax Calls on frontend is block’ is closed to new replies.