We will explain how to investigate unauthorized access to admin-ajax.php in WordPress
What is admin-ajax.php? Why is it attacked?
The admin-ajax.php file in WordPress is the file that handles the communication behind the display of the site.
It is often used by plugins and themes, and when a query named action is given, the processing implemented in the plugin, theme, etc. is executed in response to that action.
However, this processing may be flawed or vulnerable. To exploit this vulnerability, hackers may add various malicious strings (e.g., malware code) to this file and gain access to it in large numbers.
Attacks through admin-ajax.php
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
has the ability to detect and visualize such attacks.
Let’s look at the second record.
The incoming data is action=p3dlite_handle_upload. A search here reveals that the attack exploited a vulnerability in the 3DPrint Lite plugin that allows file uploads.
However, this attack will not succeed if the 3DPrint Lite plugin is installed on the site and is not the vulnerable version.
The hacker’s IP is also recorded, so a search on abuseipdb, a site that looks up hacker IPs , shows that they are reported as numerous hacking IPs.
Responding to attacks through admin-ajax.php
It is quite common for WordPress admin-ajax.php to come under attack.
Hackers use a list of WordPress sites to hack WordPress sites , trying one vulnerability after another and continuing the hack if the attack is successful.
Therefore, an attack on admin-ajax.php is 99% unlikely to succeed, so there is no need to panic if you see a record of an unauthorized access to admin-ajax.php.
Also, if you delete or disable the admin-ajax.php file, it is highly likely that the main functions of WordPress will malfunction and become unusable, so we recommend that you do not disable this file.
In the event of an attack on admin-ajax.php, we recommend that the following actions be taken.
Update vulnerable plug-ins that are vulnerable to attacks via admin-ajax.php to a non-vulnerable version, or stop and remove them if they are not in use.
You can also check for vulnerabilities with the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
If possible, we will check the attacker’s IP, and if the IP is one of the most frequently hacked IPs, we will take measures to ban access to it. The above plug-ins also have a function to ban IPs, but it is also possible to block IPs by putting the settings in the htaccess file.
Order Allow,Deny Deny from 185.185.185.185 Allow from all
The “185.185.185.185.185” part should be the IP you wish to block.
The htaccess file is automatically generated in the top directory where WordPress is installed.