Title: 403 POST errors with /wp-admin/admin-ajax.php breaks some plugins.
Last modified: August 22, 2016
---
# 403 POST errors with /wp-admin/admin-ajax.php breaks some plugins.
* [gregscott](https://wordpress.org/support/users/gregscott/)
* (@gregscott)
* [11 years, 8 months ago](https://wordpress.org/support/topic/403-post-errors-with-wp-adminadmin-ajaxphp-breaks-some-plugins/)
* We have a self-hosted website that uses a calendaring plugin. I have complete
access to the virtual machine hosting the website, Fedora 19 with WordPress 3.5.2.
* We use a calendaring plugin to display upcoming events. The plugin works as expected
for users accessing it from the same subnet as the website. But it stays stuck
with a graphic that says, “Loading” from anywhere else in the world.
* After countless frustrating hours of troubleshooting over several months, I noticed
errors like this in /etc/httpd/logs/error_log:
* > [Thu Sep 18 20:43:04.282395 2014] [authz_core:error] [pid 15303] [client 1.2.3.4:
> 62753] AH01630: client denied by server configuration: /usr/share/wordpress/
> wp-admin/admin-ajax.php, referer: [http://www.example.org/calendar/](http://www.example.org/calendar/)
* And I see entries like this in /etc/httpd/logs/access_log:
* > 1.2.3.4 – – [18/Sep/2014:20:43:04 -0500] “POST /wp-admin/admin-ajax.php HTTP/
> 1.1” 403 225 “[http://www.example.org/calendar/”](http://www.example.org/calendar/”);“
> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/37.0.2062.120 Safari/537.36”
* I dummied up the requesting IP Address and website name above.
* OK, wonderful – we have some kind of permission issue with this file named admin-
ajax.php. And sure enough, I can work around the problem with a .conf file in/
etc/httpd/conf.d with a directive like this to liberalize the permissions on
my wp-admin directory:
* ```
## AllowOverride Options
AllowOverride All
# Apache 2.4
##Require local
##Require ip 192.168.10
Require all granted
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
##Allow from 192.168.10
Allow from all
```
* Note the commented out references to the internal subnet. This feels like leaving
the front door of my house open and hanging a neon “Rob me” sign above it.
* And that leads to my questions:
* 1 – How do I liberalize the permissions around the individual file named admin-
ajax.php without exposing the whole wp-admin directory?
* 2 – Why does this ajax-admin.php error only break some plugins and not others,
even though every access to every piece of the website seems to trigger the error?
* 3 – Why in the world do I need to allow the whole world to do HTML POST commands
to this one file? I am not a WordPress internals expert and I don’t know anything
about Ajax and PHP – does POST in this case really mean it’s just sending admin-
ajax.php some kind of command, and admin-ajax.php is tough enough to withstand
lots of abuse?
* There are hundreds of references to admin-ajax.php across Google, but nothing
I can find so far that answers my questions. So maybe this can be helpful to
others.
* thanks
* – Greg Scott
Viewing 6 replies - 1 through 6 (of 6 total)
* Thread Starter [gregscott](https://wordpress.org/support/users/gregscott/)
* (@gregscott)
* [11 years, 8 months ago](https://wordpress.org/support/topic/403-post-errors-with-wp-adminadmin-ajaxphp-breaks-some-plugins/#post-5309872)
* This seems to do the trick.
* ```
## AllowOverride Options
AllowOverride All
# Apache 2.4
##Require local
Require ip 192.168.10
##Require all granted
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
Allow from 192.168.10
# Apache 2.4
Require all granted
# Apache 2.2
Order Deny,Allow
Allow from All
```
* Am I opening myself up to attack by doing this?
* thanks
* – Greg Scott
* Thread Starter [gregscott](https://wordpress.org/support/users/gregscott/)
* (@gregscott)
* [11 years, 6 months ago](https://wordpress.org/support/topic/403-post-errors-with-wp-adminadmin-ajaxphp-breaks-some-plugins/#post-5310126)
* Wow – a month later and the community response is underwhelming. Why do I need
to make this file named admin-ajax.php wide open to the world? Convince me this
does not create a major security hole. Or tell me it’s a bug that’s been patched.
Tell me something!
* thanks
* – Greg Scott
* [wpwalker](https://wordpress.org/support/users/wpwalker/)
* (@wpwalker)
* [11 years, 6 months ago](https://wordpress.org/support/topic/403-post-errors-with-wp-adminadmin-ajaxphp-breaks-some-plugins/#post-5310127)
* hi greg — i don’t have any answers for you, but i’m posting just to say thank
you for the apache code, and so you’re not all alone here 🙂
* I have the same concerns about admin-ajax.php. I really don’t understand why
wordpress would put a public-facing script in wp-admin folder. Also have not
been able to find any subsantive discussion on this.
* i’ve subscribed to this thread, and going to tweet it. Hopefully something more
will come out of your posts!
* — wpwalker
re: admin-ajax.php forces wp-admin folder exposed to world.
* Thread Starter [gregscott](https://wordpress.org/support/users/gregscott/)
* (@gregscott)
* [11 years, 6 months ago](https://wordpress.org/support/topic/403-post-errors-with-wp-adminadmin-ajaxphp-breaks-some-plugins/#post-5310128)
* Thanks. I was feeling lonely. Hopefully we’ll get some attention now.
* – Greg
* [wpwalker](https://wordpress.org/support/users/wpwalker/)
* (@wpwalker)
* [11 years, 6 months ago](https://wordpress.org/support/topic/403-post-errors-with-wp-adminadmin-ajaxphp-breaks-some-plugins/#post-5310129)
* 😀 hope!!
* – wpw
* [charlievaughan](https://wordpress.org/support/users/charlievaughan/)
* (@charlievaughan)
* [11 years, 6 months ago](https://wordpress.org/support/topic/403-post-errors-with-wp-adminadmin-ajaxphp-breaks-some-plugins/#post-5310140)
* I’ve just been having a similar problem where I was getting 403 errors from /
wp-admin/admin-ajax.php with the wpGeoDirectory plugin when trying to upload
CSV files.
* I thought it could be to do with Bulletproof Security and found this page: [https://wordpress.org/support/topic/plugin-bulletproof-security-google-analytics-plugin-by-joost-conflicts](https://wordpress.org/support/topic/plugin-bulletproof-security-google-analytics-plugin-by-joost-conflicts)
* Which states:
* > you just need to allow this action in the wp-admin .htaccess file. You can
> add this skip/bypass rule to BPS wp-admin Custom Code CUSTOM CODE WPADMIN PLUGIN
> FIXES: and save it so that it is saved permanently to your DB. Then activate
> BulletProof Mode for your wp-admin folder again.
> ```
> # GAW admin-ajax.php skip/bypass rule
> RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
> RewriteRule . - [S=2]
> ```
>
* This works for me, but I have no idea about security issues.
* It also works now with Bulletproof Security re-enabled on my multisite installation(
WordPress 4.0.1).
Viewing 6 replies - 1 through 6 (of 6 total)
The topic ‘403 POST errors with /wp-admin/admin-ajax.php breaks some plugins.’ is
closed to new replies.
## Tags
* [admin-ajax.php](https://wordpress.org/support/topic-tag/admin-ajax-php/)
* In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
* 6 replies
* 3 participants
* Last reply from: [charlievaughan](https://wordpress.org/support/users/charlievaughan/)
* Last activity: [11 years, 6 months ago](https://wordpress.org/support/topic/403-post-errors-with-wp-adminadmin-ajaxphp-breaks-some-plugins/#post-5310140)
* Status: not resolved
## Topics
### Topics with no replies
### Non-support topics
### Resolved topics
### Unresolved topics
### All topics