Which one is better using $_POST directly in plugin file or using admin-ajax.php

If you’re wanting to return data to javascript, typically in a JSON format, then you should use the admin-ajax.php method.

If you’re wanting to return some other form of data, or just receive data from a POST request, then you should use the admin-post.php method instead. It’s basically the same as admin-ajax.php, more or less.

Both of these methods are preferred over receiving data directly, because they keep the order of operations correct. The request sent to these goes to WordPress first, which passes it to the plugin. If you try to pass the data to the plugin files directly, then WordPress won’t be loaded and the plugin will have to load it itself, reversing the order and making things overly complicated.

Thank you .
But what if user sets password on wp-admin ? and what about this fact that when i want use admin-ajax in frontend i must print link to the wp-admin folder ? (and many other problems in this approach which makes developer works too much for just sending or receiving a little strings).
Also the other reason is that everything in both ways is same, because when i receive posted data in my plugin , then i store the value in a global variable. and for example i wait until wordpress init happens then i hook into init action hook and by running my function i have access to the core then i can print something and then using die() , or i can serialize and save received data.
I tested this and it works fine , i mean my plugin have access to all core functions without any problem. also i printed and received data in this way and there is no problem in accessing core functions.
My opinion is that receiving data directly in plugin file is better but im not sure about security and other problems that may happens for users .
what you think about security?

From a security perspective, if you are using nonces, and validate and sanitize all your data before use, you should be fine.

I do agree with Samuel, that you should use admin-ajax.php or admin-post.php accordingly. There may not be any issues now, but it’s always best to implement and utilize existing infrastructure as it was intended to be used.

Thank you ryan for nonces and sanitizing.
It sounds like we have diffrent Viewpoints.
Because if what i say is not a good idea then wordpress must improves what is provided in core. for example at least wordpress developers must add sth like admin-ajax or admin-post into main wp folder or wp-content. so when user moves wp-content to diffrent folder or sets password on wp-admin and other things like this do not breaks my plugin !
I think this topic must be closed.
Thank you Ryan and Samuel for help.

You can move wp-content to a different folder and then set the following constants to let WordPress know where you put it:

/** Absolute path to wp-content directory */
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/wp-content');

/** URL to wp-content directory */
define('WP_CONTENT_URL', 'https://' . $_SERVER['SERVER_NAME'] . '/wp-content');

You can also protect wp-admin with a password, but you would need to whitelist the site, so that all requests from the server to the site are allowed.

If you have ideas for improving WordPress, please post them in the Requests and Feedback forum.

Ryan i know that it is possible to edit .htaccess to allow server to access it. but what about a user that is using this plugin ? some of them even don’t know how to edit a htaccess file. And what about inserting a direct link to wp-admin in my plugin js ?
If we can do the job in an easier way , then why i must say hey, my user go and edit htaccess for my plugin to works.

Most links should be generated using a WordPress constant, because links can change. That said, wp-admin will always be accessible from where WordPress is installed (WP_SITEURL) and so will admin-ajax.php. The only folders that are dynamic are wp-content, plugins, themes and uploads, and each of them have constants.

A plugin shouldn’t protect any folders that will impact other plugins. If you create your own password protection with the plugin that is isolated to just your plugin, it’s fine.

But in any event, you’re right, a plugin user should not have to manually add any server rules, so a plugin shouldn’t be built with that requirement.

At this point, I’m a little confused as to what the concern is. What are you trying to do that you feel you’re unable to do?

My problem resolved but after too much searching and testing.
And as i said in post 5 , i think this topic must be closed (because as you mentioned by using nonces and sanitizing everything is fine).

But the only concern is that everyone who like me decides to create a plugin that uses ajax in frontend, first place that he reads is www.remarpro.com docs .

Then i think in docs must mention that $_POST only not works in wordpress endpoints and you can use it directly in plugin files, So if a plugin is not working in admin side another possible way behind using admin-ajax is to use $_POST directly.

Thanks.