Security through obscurity isn’t a good pattern to follow. You have to have a URL to make XHR or JSONP calls. Anyone who knows anything about searching the DOM using developer tools, Firebug, etc… can easily find your remote script URL. To me, this is the wrong question to ask.
The more relevant question to security is, how do I harden my AJAX handler script from unwanted intrusions?
The simple answer to this question is to use WordPress nonces for verifying the authenticity of the request.
- Create a nonce field in your form using
wp_create_nonce()
- In your AJAX handler script, use
check_ajax_referer()
There are other functions you can use if you want to make sure the request came from wp-admin or simply verify a nonce outright without an API function.
Check out this page in the Codex for more information about WP Nonces.
You can also use conditionals like current_user_can()
to add additional layers of security for privileged AJAX requests. If you find that someone is abusing that script, start logging IPs. If requests fail to meet criteria after so many tries, block the offending IP addresses.
The bottom line is make sure your code is secure. Hiding or obscuring scripts is not a good alternative to proper security. Snoopers will find what they want if they are motivated enough.