WordPress Security: how to block admin-ajax.php


To block the specific URL “wp-admin/admin-ajax.php?action=rest-nonce” in WordPress, you can use a combination of techniques, including modifying your .htaccess file or using a security plugin. Here’s a step-by-step guide on how to achieve this:

Method 1: Modifying .htaccess file

  1. Access your WordPress site’s root directory using an FTP client or file manager provided by your web hosting provider.
  2. Look for the .htaccess file in the root directory. If you can’t find it, make sure you have enabled the option to show hidden files.
  3. Open the .htaccess file using a text editor.
  4. Add the following lines of code at the beginning or end of the file:
<Files "admin-ajax.php">
    Order Allow,Deny
    Deny from all
  1. Save the changes to the .htaccess file and upload it back to your site’s root directory.
  2. Test your website by accessing the URL “wp-admin/admin-ajax.php?action=rest-nonce” to ensure it is blocked. You should see a “403 Forbidden” error.

Method 2: Using a WordPress security plugin

  1. Log in to your WordPress admin dashboard.
  2. Navigate to the “Plugins” section and click on “Add New”.
  3. Search for a security plugin such as “Wordfence” or “Sucuri” and install it.
  4. Once installed, activate the plugin.
  5. Depending on the plugin you choose, you may find a dedicated settings page or options related to blocking specific URLs or blocking access to the WordPress admin area.
  6. Look for an option to block URLs or add custom rules, and enter “wp-admin/admin-ajax.php?action=rest-nonce” as the URL to block.
  7. Save the settings, and the plugin will take care of blocking the specified URL.

Remember to exercise caution when making changes to your site’s configuration files. Make sure you have a backup of your site before proceeding and consider consulting with a developer or expert if you’re unsure about the process.



Table of Contents