Here i found advice how to make wordpress more securely, idea is to protect access to “/wp-admin” by http auth, but “/wp-admin/admin-ajax.php” must stay available for everyone, same is true for some .css files.
I spend some time to research solution, it was a bit complicated:
location /wp-admin { location ~ /wp-admin/admin-ajax.php$ { # Php handler } location ~* /wp-admin/.*\.php$ { auth_basic "You shall not pass!"; auth_basic_user_file $document_root/.htpasswd; # Php handler } } |
It is possible to add additional location to serve static content, but i am too lazy to do it.
PS
Also here i found receipts for apache and lighttpd if anybody interesting.
Apache:
AuthUserFile /path/to/your/htpasswd AuthType basic AuthName "Restricted Resource" require valid-user# This is the whitelisting of the ajax handler <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> |
Lighttpd:
$HTTP["url"] =~ "^\/wp-admin\/.*" { $HTTP["url"] !~ "^\/wp-admin\/(admin-ajax\.php|css\/.*)" { auth.require = ( "" => ( "method" => "basic", "realm" => "Password protected area", "require" => "user=theuser", ), ), }, }, |