We are having some issues with an external developer.
We want to limit access to the wp-admin site to internal access only (via VPN). Simply so it will not be attacked by external users. We can enumerate the admins from the site and do not want them to be phished.
Our developer is saying we can’t do that because the site needs to have the admin page accessible externally so the page will function. specifically the admin-ajax page.
What does the admin-ajax.php page do?
It is located in the admin section of WordPress. Is it accessed unauthenticated by end users? Is it an unsafe practice to have this available to external users?
admin-ajax.phpis part of the WordPress AJAX API, and yes, it does handle requests from both backend and front. Try not to worry about the fact that it is inwp-admin. I think that is a strange place for it too, but it is not a security problem in itself. How this relates to “enumerate the admins”, I don’t know.For unauthenticated and untrusted users, you’ll want to make two specific exceptions to your VPN / Firewall / Apache
.htaccess, which are:example.com/wp-admin/admin-post.phpexample.com/wp-admin/admin-ajax.phpThese are two auto-magic endpoints used by a lot by both internal WP and also various plugins.
Here’s some explanation of what
admin-post.phpdoes:admin-ajax.phpworks in a very similar way, and a helpful explanation is here.If you want to limit access to the WP backend (ex:
wp-admin), just use a.htaccessrule on thewp-admindirectory.Check out this article for a general overview: Password Protect a Directory Using .htaccess
Also check out this topic for your specific case: Password protecting /wp-admin/
My personal opinion is that this is a god awful idea. About two months ago our director of development insisted we do just this, much against the advice of the Dev team. It’s a genuine nightmare and an incredible pain for us, not only does it kill ajax all together it presents so many administration issues for us.
We have 40 regular staff and 4 devs trying to use the vpn at times and it just stutters, along with that all users now require two sets of passwords one for wp and one for vpn and that’s not just a shared password it’s individual ones, I mean how else would you do a security audit. It’s hard enough to remember one secure password, let alone two.
Add to the issue that a lot of people do not know how to use a vpn and often that just causes more issues.
Ultimately it’s a terrible idea and it’s often put forward by management or higher who do not know or understand WordPress. They see it in a terrible light, that because it’s open source it must also be a security issue, filled with easily tapped exploits and so on…. its getting old.
WordPress is secure and sticking wp-admin behind a vpn is not only fear mongering it presents a nightmare for every member of the team
Why is it that management types have no trust when it comes to WordPress, they seem to forget major sites use WordPress and don’t use vpns, look at mashable for example.
So to recap:
Ajax won’t work behind a vpn.
Vpn is a terrible idea for reasons mentioned above
WordPress is secure and will remain so if you keep it and plugins up to date.
Listen to your Dev, you pay them for their expertise. I can promise you, that nothing undermines a working relationship like not putting your trust into an individual and having to check up on their knowledge.
If you do go with vpn, be sure to buy enough user licenses.