Error 403 on admin-ajax

Same Error 403 on admin-ajax, spend hours to find out.

Hi

I stumbled across this thread and thought I’d add some context. In case someone doesn’t know, the /wp-admin/admin-ajax.php file is a key part of WordPress’ implementation of Ajax. It is a PHP script that receives Ajax requests and processes them. WordPress uses this file to handle many different types of requests, such as updating a post, getting a list of posts, or searching for content. Many plugins use it to do things like start a security scan or submit a form. WordPress uses it to refresh the page’s content without reloading it, thus making the page dynamic and interactive to the users. It is important not to block the admin-ajax.php file as this could break many plugins’ actions as well as core WordPress functionality.

What happens sometimes is that sometimes admins think to protect their sites from being hacked it is a smart move to rename the /wp-admin login. The problem is that /wp-admin is a URL but it is also a folder path. Blocking that will block /wp-admin/admin-ajax.php which will causes lots of things to potentially break. It can also break sometimes when you use server level blocking on your server or CDN. Those security measures can be somewhat generic and not written with WordPress in mind. You should make sure you aren’t blocking /wp-admin.

Before people start yelling (??) I know that there are tons of security blogs and ‘experts’ who publish articles about how renaming /wp-admin is the one thing you need to do to protect your site. This is not true. Even though it can help a little in certain situations it’s ultimately not very beneficial. These are the reasons why:

1. Changing WordPress URLs involves a risk of breaking functionality of WordPress themes and plugins.
   For example, WordPress JavaScript XMLHttpRequest object (AJAX) functions are triggered via admin-ajax.php which is located in wp-admin folder. Changing /wp-admin is a URL but it is also a folder path. We have seen plugins that change the admin URL break this functionality unintentionally, but it causes confusion as to what happened, what went wrong, and what was to blame..
2. Changing the URL makes us feel more secure but it does not actually make the site more secure.
   It is what many security analysts refer to as “security through obscurity”. It’s like boarding up the front door of your home to protect yourself against a burglary. Someone looking for a quick break in may be deterred, but any seasoned thief is just going to go look for another door or window to get in. Any serious attacker can and will anticipate this and look for other ways in too.
3. Over half of all login attempts that are made on WordPress sites are made via xmlrpc.php.
   Those will not be stopped by changing your admin URL. Various plugins will do this for you, but remember that some plugins rely on it (Jetpack posting for one) so you may have ask the plugin author for ways to avoid that.
   
   To find out what might actually be going on is to look at the response the request for admin-ajax.php gets. To do this you’ll need to open your web browser’s development console. There are several tabs there but you’ll want to watch the Console one. Perform the action that resulted in the 404 error. The console should show the admin-ajax.php file being blocked. Right click the URL for the admin-ajax.php file and choose “Reveal in Network Panel”. There will be a Response tab and a Preview tab. This will show you if a security plugin like Sucuri is blocking your access. If the block is at the server level you may see a white page with something like “Forbidden”, etc. Working with your hosting provider can help determine what the cause of the block may be.
   
   Hope this helps someone.
   
   Mia

Thanks for message.

In my case, no change on admin url:

you can see below screen of network tab, can’t find problem. We have probleme only when this plugin is activated.

https://www.dropbox.com/scl/fi/l69i3022ctr73v6h87v1t/Capture-d-cran-2024-05-31-22.25.29.png?rlkey=2u4jrgq7mm7i1j025v4hck2cg&dl=0

https://www.dropbox.com/scl/fi/7edoekbtj2kajphzvcidj/Capture-d-cran-2024-05-31-22.25.33.png?rlkey=kbkdfw07npgs3b6ckez54bgns&dl=0

Thanks a lot

Hi

The first screenshot shows that the /wp-admin/admin-ajax.php file is getting a Forbidden message. The times I have seen this, it was usually a page served by the server itself. You might look for the server IP being blocked in the .htaccess file or in the server configuration somewhere (not the WordPress admin area), but I noticed next to ‘Reglement Sur Les URL De Provenance’ (regulation on referring URLs) it says “strict-origin-when-cross-origin”. That’s part of CORS (security headers) and might be what is breaking here. Reaching out to your hosting provider and sharing those screenshots might help. They’ll also be able to look in the server error logs for information. The second screenshot showing the Preview tab for the failed request says ‘Le lien suivi est expirac Veuillez racessayer’ (The link followed is expired. Please try again). I’m not sure why it would take so long to process that the ajax request times out but I suspect that message is just because the ajax request never is completed.

Hope this helps.

Mia

Hello @eclectic77

Thank you for reporting this issue, and we apologize for the delay in our response. The above-mentioned issue has been fixed with our latest version of the plugin, if the issue persists, we might need further information to investigate it. You can visit our support page, where you’ll find options to chat with us or send an email. Our team is available to assist you and will gladly address any concerns you may have.

Best Regards

Hi

We’ve recently released a fixed version (4.3.4). Please update Popup Builder to the latest version and check if the issue persists.Should you have any questions, you can visit our support page, where you’ll find options to chat with us or send an email. Our team is available to assist you and will gladly address any concerns you may have.

Best Regards