AJAX requests within templates

Security through obscurity isn’t a good pattern to follow. You have to have a URL to make XHR or JSONP calls. Anyone who knows anything about searching the DOM using developer tools, Firebug, etc… can easily find your remote script URL. To me, this is the wrong question to ask.

The more relevant question to security is, how do I harden my AJAX handler script from unwanted intrusions?

The simple answer to this question is to use WordPress nonces for verifying the authenticity of the request.

There are other functions you can use if you want to make sure the request came from wp-admin or simply verify a nonce outright without an API function.

Check out this page in the Codex for more information about WP Nonces.

You can also use conditionals like current_user_can() to add additional layers of security for privileged AJAX requests. If you find that someone is abusing that script, start logging IPs. If requests fail to meet criteria after so many tries, block the offending IP addresses.

The bottom line is make sure your code is secure. Hiding or obscuring scripts is not a good alternative to proper security. Snoopers will find what they want if they are motivated enough.

Related Posts:

  1. Load entire NextGEN gallery from single thumbnail?
  2. Sharing templates with the JSON API?
  3. Prevent private post 404
  4. Get templated page/post content via the WordPress API
  5. Login WordPress website using wp-rest api
  6. Single page applications with WordPress: routes and templates
  7. Retrieving post ID from current page
  8. printf, translation and the_author_posts_link()
  9. How to use Class in Java?
  10. Is there any way to use get_template_part() with folders?
  11. How to edit contents of dynamic_sidebar()?
  12. Loading partial templates with AJAX/PJAX
  13. REST API endpoint for elasticpress autosuggest
  14. A special single page templates for posts under a category and all its child category
  15. Where to store some per-template preferences?
  16. wp_get_attachment_image returns different image size
  17. How do I override template-tags.php in twentyseventeen theme
  18. Conditional check for front-end which includes ajax
  19. Add a preview to a WordPress Control Panel
  20. roots child theme can’t override header.php
  21. When calling wp_title(), do you have to create some kind of “title.php” file?
  22. Stream Video Player does not work with do_shortcode()?
  23. Display sub-taxonomies based on SELECTED parent-taxonomy
  24. How does wordpress blocks?
  25. Which has more impact on site performance? Template overrides or hooks
  26. Subpage template
  27. Advanced Custom Fields – display when specific template used?
  28. What should I put on my index.php?
  29. How To Create WooCommerce Custom Template For Specific Product?
  30. How to Use Twig + Timber with Multiple Loops based on Meta Key Value
  31. Programatically create a page
  32. Missing .twig files in wordpress theme editor
  33. How to custom page template for the Gutenberg editor
  34. Use PHP templates as blocks
  35. Directly using pure JWPlayer JS (but NOT WP Plugin)
  36. Login page theming?
  37. I want to add a custom “all posts by author” by authors name. How?
  38. Advanced templating / WordPress as a CMS questions
  39. Redirect template based on permalink rather than $wp_query
  40. Test WordPress api with postman
  41. displaying category and subject posts
  42. How to duplicate a page template but make minor changes to the header?
  43. Custom templates vs page-slug
  44. get_template_directory() still returning path to previous theme
  45. URL / Templating system advice [closed]
  46. What’s the purpose of $wp_did_header?
  47. Trying to display short code content in template file with do_shortcode()
  48. Unable to add template to page set as Posts page in WP V 4.6.1
  49. How to use index.php as a template for archives?
  50. How to customize WooCommerce templates to avoid override upon update [closed]
  51. WP Rest Api / Ajax POST not working when not logged in
  52. Creating new content types (Pages, posts, testimonials, tigers, oh my!)
  53. Dynamically Insert Image Into Stylesheet
  54. How to access .html file that’s located in the theme folder from the browser?
  55. Way to use one template but be able to call different top graphics?
  56. Differnt page template for page 2 of blog feed
  57. Is it possible to create new user from external form using REST API?
  58. How to implement my custom development multiple PHP page work into WordPress?
  59. Create template for just a print
  60. dynamic_sidebar() stopped working
  61. Index template always follows page_template() template?
  62. WP overwrites my setup_postdata() setup
  63. wp_list_authors() returning the wrong member url
  64. Sending email for the custom form in WordPress
  65. Hard Coding Components on a Client Specific Websites
  66. How to use another file instead of home.php
  67. Assigning custom page templates to a static blog page
  68. Can i exclude certain page templates for a specific role?
  69. Template_redirect for child custom post types
  70. Ajax Call in page theme not working?
  71. How to render the single post template with the post name?
  72. Using a specific template for front page only
  73. How to do admin ajax request in a plugin for rest api
  74. Child theme enqueueing style.min.css not style.css
  75. Exclude certain template from wp_list_pages
  76. How to require files in a custom endpoint
  77. Why wordpress custom template comments shows Undefined index?
  78. How to add variables to a template
  79. Update body class based on theme as well as a html attribute
  80. How can i get the same ajax result using WP REST API instead of admin-ajax?
  81. Is it possible to set a custom post type template with code?
  82. Fix for Chart.js removing Admin Bar
  83. Why is this array not working?
  84. Single Post Templates Doubt
  85. strange behaviour of template_redirect in IE8
  86. How do i load a different template for different users screen width
  87. MailPress plugin: table inline style tag removed when sending the newsletter
  88. Custom Archive with Content for Custom Post Type
  89. Load featured article once in a loop
  90. files disappearing from template
  91. why does blog page ignore template [closed]
  92. html blog template to wordpress template
  93. wordpress Ajax success doesn’t return the value
  94. How to limit block activity (insertion/deletion) to inside of a Block Template on the Admin Screen?
  95. how reduce fetch/XHR response time
  96. How to change post template
  97. Custom WP rest api endpoint only working on non https?
  98. WordPress template restored by mistake
  99. wordpress rest api authentication failed
  100. Unload templates; disable parent Template Parts using only “theme.json”