Is it safe to use admin-ajax.php in the frontend?

See documentation here but don’t miss the note 2 and the following points :

  • AJAX on the front-end is more complicated, ajaxurl is not defined so
    you have to call it with wp_localize_script().
  • you have to use wp_ajax_nopriv_{action} for non logged in users
  • there could be security issue !!!

About the third point :

Be careful because you give access to non logged in users to some data and functions. So you need to ask yourself about what you want to do. It could seem a little bit too much but to me when using AJAX on the front-end of WP you should make $_GET things, only for reading, for example infinite scroll ans stuffs like that, not delete, create and update actions.

Related Posts:

  1. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  2. Why “Contact Form 7” doesn’t update PHPmailer library?
  3. Help making my pagination plugin better
  4. admin-ajax returning 400 error when request is made with Fetch API
  5. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  6. What does a security risk in a plugin look like?
  7. WordPress Capabilities: edit_user vs edit_users
  8. Custom plugin giving: wp-admin/admin-ajax.php 400 (Bad Request)
  9. Ajax Load More and Masonry: is it possible to load admin-ajax.php in the front end?
  10. Errors while using ajax from external wordpress page
  11. Built in admin ajax hooks?
  12. How many security plugins are too many? [closed]
  13. Will WordPress username displayed somewhere in the site?
  14. Only execute jQuery function(on document ready) on the page has shortcode from plugin [duplicate]
  15. Ajax with jQuery UI dialog not working
  16. Shortcode in AJAX popup
  17. How can I process xml file on upload?
  18. How to limit WordPress pages during updates?
  19. ajax front-end increment views on click
  20. rms_unique_wp_mu_pl_fl_nm.php
  21. Why none of the plugins that have ajax doesn’t work in my website?
  22. wp_create_nonce function doesn’t work inside a plugin?
  23. How to Create a Custom Panel and Fields in Post Page [Plugin]
  24. WordPress Ajax Posting from App
  25. Headers Content-Security-Policy CSP Major Issue
  26. Nonce failing on form submission
  27. Theme is Causing Ajax Conflicts for a plugin I cant identify it
  28. Why WordPress plugin url ajax doesn’t work?
  29. Search for categories
  30. Ajax call returning 0
  31. Ajax fail and get 504 error
  32. Display wordpress post’s in popup?
  33. Using color picker in plugin, does input attribute order matter?
  34. Ajax : Call undefined function plugin_function() … can’t call any plugin function
  35. AJAX call – failling to call do_action
  36. What are the Best Practises When Using AJAX in Plugin Development?
  37. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  38. Prevent direct access to WordPress plugin assets?
  39. Does having more than 30 Admin Ajax affects site performance (plugin)?
  40. Submit Form data to another page via Ajax (WordPress Way)
  41. plugin shortcode not working on ajax request call
  42. wordpress add_action() issue in ajax call
  43. PHP script from functions php is loaded via admin-ajax to div…and the result is 0, not the desired content
  44. Too many login attempts
  45. Ajax Plugin Not Echoing Response
  46. Website show Google Ads when we have no Google Ads linked to our website
  47. WordPress Ajax code is not Working
  48. don’t call ajax if not plugin page
  49. woocommerce search by sku and title ajax
  50. Where Should i write the code for wordpress ajax voting?
  51. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  52. Webservice credential storage [duplicate]
  53. How to include my Ajax calls in one function instead of calling different ones every time?
  54. Regarding plugin security
  55. Call ajax on the frontend
  56. Is this plugin safe to run?
  57. Using AJAX to run SQL statement and populate dropdown
  58. Is the Block Bad Queries Plugin Still Relevant?
  59. best way to run a php script away from the template?
  60. Need help creating asynchronous data scraper in WordPress
  61. Ajax call not working in wordpress through a plugin
  62. Ajax 400 error when used inside a plugin
  63. Strange admin-ajax / CSS / $_SESSION issue
  64. wc_get_template_part doesnt display the content [duplicate]
  65. In a plugin, How to update a json file using ajax
  66. Cannot pass value variable to WP AJAX functions
  67. Can you add a shortcode to a custom post type that gets the post_title, post_content, etc. and then passes that to a plugin function?
  68. JS working when used normally but not in wordpress
  69. Use AJAX to fetch Current Post Thumbnail for WordPress when Uploaded throughMedia Uploader Frontend
  70. How to avoid the 403 Forbidden error in a WP Plugin with Ajax and PHP
  71. wp-admin/admin-ajax.php 400 (Bad Request) plugin
  72. Bing/msn bots is heavily requesting random of my website
  73. AJAX update fails for public/non-admin users
  74. WordPress Ajax request “Failed to load resource: the server responded with a status of 400 ()”
  75. How to disable/enable PHP plugin functionality based on a TinyMCE toggle-button
  76. ajax voting for custom post type
  77. Conditional Fields depending on checkboxes
  78. Ajax call fails and returns [object Object]
  79. WordPress environment not loading properly
  80. wordpress ajax pagination object value does not change
  81. Ajax specific template not loading in replacement of index.php
  82. Write mysql credentials in plugin
  83. Ajax return 0 in plugin – ajax only used in wp-admin
  84. What’s the preferred method of writing AJAX-enabled plugins?
  85. using jquery serialize in ajax operation for plugin
  86. Like/Dislike Bar not working when updating
  87. SWF in wordpress post
  88. Unwanted Links and Spam WordPress Pages and Posts
  89. Trouble Removing Plugin [closed]
  90. Help me with my first very basic plugin
  91. How to change response of admin-ajax request?
  92. File permissions for wp-minify plugin
  93. Ajax not working for logged in users
  94. What is the recommended way to be notified of security updates to my plugins? [closed]
  95. Inline AJAX script passing variables to PHP
  96. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  97. Block Root REST API Route using custom &/or iThemes
  98. Secure way to add JS Script to WordPress filesystem
  99. Not applying update field (acf) in my plugin
  100. How to verify/test that a custom built wordpress theme is as secure as possible?