How does the security of admin_ajax.php work?

If you look at the source of admin-ajax.php, the answer becomes clearer:

$action = $_REQUEST['action'];

if ( is_user_logged_in() ) {
    // If no action is registered, return a Bad Request response.
    if ( ! has_action( "wp_ajax_{$action}" ) ) {
        wp_die( '0', 400 );
    }

    /**
     * Fires authenticated Ajax actions for logged-in users.
     *
     * The dynamic portion of the hook name, `$action`, refers
     * to the name of the Ajax action callback being fired.
     *
     * @since 2.1.0
     */
    do_action( "wp_ajax_{$action}" );
} else {
    // If no action is registered, return a Bad Request response.
    if ( ! has_action( "wp_ajax_nopriv_{$action}" ) ) {
        wp_die( '0', 400 );
    }

    /**
     * Fires non-authenticated Ajax actions for logged-out users.
     *
     * The dynamic portion of the hook name, `$action`, refers
     * to the name of the Ajax action callback being fired.
     *
     * @since 2.8.0
     */
    do_action( "wp_ajax_nopriv_{$action}" );
}

Any code hooked to 'wp_ajax_ps-view-log' will only run if the user is logged in. For an AJAX action to be usable by anonymous users, it would also need to be hooked to 'wp_ajax_nopriv_ps-view-log', and according to the code you’ve shared it is not.

So any admin-ajax.php code that is not explicitly allowed for logged-out users is protected by the same WordPress authentication that protects /wp-admin.

If you have registered users who should not have access to this endpoint, then the nonce verifies that they at least have access to a page that generates the nonce.

Related Posts:

  1. WP Admin AJAX Security – using POST to include a relative URL
  2. WordPress Ajax Data Security
  3. Nonces and Cache
  4. Is it safe to assume that a nonce may be validated more than once?
  5. Multiple ajax nonce requests
  6. Ajax form submission from admin panel
  7. How to securely add an Ajax button to a WP Admin page?
  8. wp_remote_get() to get AJAX url /wp-admin/admin-ajax.php
  9. AJAX requests broken due to HTTPS for wp-admin
  10. Nonces, AJAX, script variables & security in WordPress
  11. Cookie nonce is invalid – Multisite
  12. wp-admin AJAX with Fetch API is done without user
  13. How do I check if AJAX nonces are implemented correctly?
  14. Is it safe to manually sign a user in using AJAX?
  15. ajax nonce verification failing
  16. WordPress Ajax Not Working ( Custom Admin page)
  17. Why a strange discrepency between get_current_user_id() when using AJAX versus output of document.cookie?
  18. Pass additional parameter with async upload
  19. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  20. Is it secure to use admin-ajax.php in front?
  21. Use WP admin AJAX url to hide API key
  22. Why does check_ajax_referer give a 403 error on https websites?
  23. Preprocess submitted data
  24. How to check nonce lifetime value of plugins?
  25. Using nonce when loading posts with AJAX
  26. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  27. Use AJAX in a WordPress Plugin to Get Data From Custom Database?
  28. Custom RPC end-point security best pratice?
  29. admin-ajax.php returns 0 even when the post status code is 200 OK
  30. Should wordpress nonce be placed in html form or in javascript file
  31. Can I use application/json content type in WordPress
  32. How to prevent my external API call from being called by anyone but me (my site)
  33. check_ajax_reffer not working when logged
  34. wordpress admin ajax trash_comment
  35. Ajax call not working anymore
  36. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  37. WorddPress website admin part not working correctly – I think ajax/json issue
  38. How modify comments metabox on post edit screen in WordPress?
  39. Ajax Security regarding user priviliges and nonces
  40. Weird admin-ajax.php problem
  41. WordPress Get Header and Footer using in Admin Area
  42. get_comments() returns empty array if called through AJAX
  43. Can I make an ajax response cross-domain?
  44. WordPress blocking polling request when signed into Admin
  45. randomly get 400 error while user is logged in wp_ajax
  46. Blocking admin-ajax.php from outside domain
  47. wp-admin/admin-ajax.php 400 Bad request (chrome console)
  48. How to stop a nonce from being cached in an inline script, or alternatives to regenerate it if expired?
  49. contact form 7 form not working in admin panel
  50. ASP.NET MVC controller actions that return JSON or partial html
  51. How to check if I am in admin-ajax.php?
  52. How does admin-ajax.php work?
  53. Ajax in a settings page (update_option is undefined)
  54. What is the best method to close off the backend?
  55. admin-ajax.php vs Custom Page Template for Ajax Requests
  56. Change Login URL Without Plugin
  57. Options for restricting access to wp-admin
  58. Is there a hook that fires before an ajax call?
  59. AJAX request from Chrome Extension to WordPress Website
  60. Why is admin ajax reloading my page
  61. Why this plugin doesn’t work with media upload page?
  62. CPU usage: AJAX and Heartbeat API on admin pages
  63. Solve cors problem using rest api or ajax
  64. Why would admin-ajax.php redirect to the home page for logged out users?
  65. Implementing an AJAX POST API call in wordpress
  66. Loading comments in ajax – comment-reply function missing $args
  67. Woocommerce update product price via AJAX
  68. How do I query posts by a sub value with the API?
  69. Enqueue script in plugin is not working
  70. template_redirect or admin-ajax.php?
  71. Ajax call does not work for this simple code
  72. Check ajax triggered from front-end or from dashboard
  73. Localize script not working
  74. Why, if a function accepts arguments, it fails on ajax calls?
  75. WP_query offset seems to be counting draft post – AJAX load more
  76. adding ajax load more to display images from meta box
  77. Can’t load search results with ajax
  78. wp_ajax is not calling the action
  79. Deny dashboard access breaks ajax requests
  80. Run javascript upon successfully set featured image
  81. How to load dynamic option with ajax
  82. Register Template
  83. WordPress responds to the ajax request with readyState 1, 2, 3 before responding with 4
  84. Filter images from media library by guid meta field
  85. Counting Posts with multiple taxonomy and terms condition using MySQL and AJAX
  86. How to Object.freeze wp_localize_script
  87. WordPress New Post via ajax call
  88. How to add Ajax to this Pagination i made?
  89. Adding user using admin ajax by a user with custom role
  90. POST 429 Error when trying to place more than 20 images into post at once
  91. Ajax global variable is not getting saved (returns null)
  92. WP admin ajax Pagination issue
  93. Why function called by admin-ajax executes synchronously?
  94. Can Ajax Action [add_action(‘wp_ajax_{action_name}’, ‘{action_name}’] be hooked into wp hook
  95. Ajax Form data is not posted back to the get_results()
  96. Remove dashboard access but allow ajax file upload
  97. fail to load /wp-admin/admin-ajax.php locally
  98. WordPress & Ajax
  99. An unidentified error has occurred when deleting a category
  100. Escaping admin_url output being passed to js (esc_js vs esc_url)
deneme bonusu veren sitelerbahis siteleripulibet girişdeneme bonusutürkçe altyazılı pornocanlı bahis casinocanlı bahis casino siteleriOnwin Güncel Girişholiganbetholiganbet girişholiganbet güncel girişnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnewsnews