Search code examples
securitynginxnginx-configwordpress-admin

NGINX restrict admin area on wordpress but allow wp-admin/admin-ajax.php?

I have a few websites which use the following code to restrict the admin area. So far have not found a better solution than this.

##> COMMENT - WordPress Admin Area Passwords 
location ^~ /wp-admin/ { 
auth_basic "Restricted Access"; 
auth_basic_user_file /home/bea/panel/security/.htpasswd; 

location ~ \.php$ { 
include snippets/fastcgi-php.conf; 
fastcgi_pass unix:/var/run/php/php7.3-fpm-website123.com.sock; 
} 
}

We are using a plug-in that allows users to see and under construction page but provides a login to allow website owner to view their website while it is being built. Have a look at the image below.

As you can see below the user is prompted to fill in a password to access the website but also they are prompted to fill in the username and password to access the admin area. this pop-up only comes up when the user has put in a password to access the website and clicks on "Access the site".

Example

After contacting the plug-in creator, they suggested to exclude wp-admin/admin-ajax.php?

Or is there a better practice to follow. I have noticed from time to time that some plug-ins require access to the admin area to function correctly.

I may have found a solution:

##> COMMENT - WordPress Admin Area Password, usally for LIVE sites

location /wp-admin {
        location ~ /wp-admin/admin-ajax.php$
        {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.com.sock;
        }

        location ^~ /wp-admin/ {
        auth_basic "Restricted Access";
        auth_basic_user_file /home/user/panel/security/._htpasswd;
        }
        location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.sock;
        }
}

I just want somebody to validate the code above and check that it is secure? I'm still willing to offer a bounty to validate its level of security.

enter image description here

Solution

  • After playing around for many hours I have found a working solution but I am not quite sure if it is secure?

    location /wp-admin {
        location ~ /wp-admin/admin-ajax.php$
        {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.com.sock;
        }

        location ^~ /wp-admin/ {
        auth_basic "Restricted Access";
        auth_basic_user_file /home/user/panel/security/._htpasswd;
        }
        location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.sock;
        }
}

    But it is a working solution