exception wp-admin/admin-ajax.php

@novawebse

I fail to see how this question relates to the iTSec plugin ?
Perhaps you can explain the issue a bit more.

dwinden

we use a plugin for quotes that makes a call to wp-admin / admin-ajax.php.
Since we use iThemes Security we access wp-admin with admin-123sales
example :
https://www.nova-web.org/preventivi/
This plugin uses (admin-ajax.php).
Without (admin-ajax.php) it does not work quotes
How can we make an exception for read-only files on that ???
thank you so much

@novawebse

Ok, I see.

I think https://www.nova-web.org/novasecurity/wp-admin/admin-ajax.php works just fine as it returns 0. If the admin-ajax.php file is not accessible it would return a 404 error (page not found).
Only when using ?action=category_ajax_request or ?action=get_currency_ajax_request a 404 is returned.
However ?action=test does not return a 404 …

I also did a quick admin-ajax.php test in my own env while using a secret login slug. It works just fine.

dwinden

This is the script call
<script type=”text/javascript”>
var ajaxurl = ‘<?php echo admin_url(‘admin-ajax.php’); ?>’;
</script>
this gives me error

@novawebse

What error ?

Try alert(ajaxurl);

dwinden

I disabled iThemes Security, you can see how it works now complete

look
https://www.nova-web.org/preventivi/

@novawebse

Thank you. That makes things a little bit clearer.
Ok, so you have proven there is something going wrong when the iTSec plugin is activated.

I have proven that the admin-ajax.php file can be accessed while using the Hide Backend secret login slug. So that is not the problem.

What happens when you activate the iTSec plugin but disable the Hide Backend setting ?

I think you will need to have a look at the code of the category_ajax_request and get_currency_ajax_request ajax callback functions. Or post the code of those php functions somewhere on the internet so I can have a look at it.

Also check the error_log for any errors.

dwinden

@novawebse

Oh wait ! One moment …

dwinden

@novawebse

Activate the iTSec plugin and if enabled disable the Filter Suspicious Query Strings in the URL setting in the System Tweaks section on the Settings page.

It blocks http requests with ‘request’ string in the url …
Like:
https://www.nova-web.org/novasecurity/wp-admin/admin-ajax.php?action=category_ajax_request&category=13301

dwinden

@novawebse

If you require no further assistance please mark this topic as ‘resolved’.

dwinden

@novawebse

If you require no further assistance please take a moment to mark this topic as ‘resolved’.

dwinden

@novawebse

Please show some respect for the solution provided and mark this topic as ‘resolved’.

dwinden

Hi, I have the same problem but with the file admin-post.php.
I checked and the Suspicious Query Strings option is not checked.
I have also installed wordfence plugin, but it seems do not interfere because I can do the requests if I disable the iTheme security plugin.
Do you have aby idea?

@dwinden I ran into this issue on a client site. Your solution is correct “disable the Filter Suspicious Query Strings in the URL setting in the System Tweaks section on the Settings page” works like a charm. This post saved me some time. Thank you.