How to block admin-ajax.php after renaming it

[maevapn]

I renamed admin-ajax.php using HMWP, but the original location remains accessible.

When someone can open domain.com/wp-admin/admin-ajax.php and receive a 0 it is known to be WordPress. It should be 404.

Can it be done?

[Suman M.]

Hi, HMWP uses rewrite rules to mask/rename default WP paths. It doesn’t modify/rename any path physically. So the default WP paths will still be valid if you try to access them directly.

[maevapn]

So Hide my WP does not really hide WP if all that needs to be done is open domain.com/wp-admin/admin-ajax.php to see if it is WP.

Bots can do this, too. Can it not be improved?

[Suman M.]

If the default WP paths are to be made unavailable then only option will be to physically rename WP folder/file names. If it’s only about hiding domain.com/wp-admin/admin-ajax.php then you can do it by adding rewrite rule in the site’s .htaccess file (like we do for readme.html, license.txt, etc.)

[maevapn]

Regarding your solution for hiding domain.com/wp-admin/admin-ajax.php by adding a rewrite rule to .htaccess… wouldn’t this block access to admin-ajax.php from the backend as well, thereby breaking many plugin admin functions?

Should it look like this?

RewriteRule ^custom /wp-admin/admin-ajax.php [QSA,L]
RewriteRule ^/wp-admin/admin-ajax\.php /nothing_404_404 [QSA,L]

[Suman M.]

Yes, it will disable admin-ajax.php al together, i.e. from frontend and backend as well. With HMWP there’s no option to disable admin-ajax.php only for the frontend.

[Author]

Posts