I would like to know if it is secure to use admin-ajax.php for your ajax requests on the front.
There is nothing fundamentally insecure about using it for AJAX requests as a protocol.
So is it secure?
That question makes little sense, in the same way that “Is a coin flip secure?” doesn’t make a lot of sense. The only real answer is it depends
It depends on what your AJAX request handler does at the other end, and wether you build it securely.
Building a secure AJAX handler via admin-ajax.php depends on what your handler does, and the checks put in place, e.g. nonces, capability checks, validation, sanitising etc
Remember, you will need to implement all the security checks yourself
Secure vs What?
The other options:
A standalone file in a theme or plugin, or in the root WP folder
This is a security hole, because now you have a standalone endpoint that is always active even if a theme or plugin is disabled. Additionally, it requires WP to be bootstrapped, forcing you to write the file so it will only work in a particular place, else it won’t know where the files it needs to load are, making it fragile. It also requires a collection of constants to be included for WordPress to bootstrap correctly.
Additionally, you still have to implement all of the checks yourself, with the added bonus that the file will only work in 1 location. Doing this is very difficult, and requires skills on par with a core contributor. Most developers aren’t aware of some of the things they might need to do, including but not limited to:
- input validation
- input sanitising
- user capability checks
- nonce validation
- user authentication
- output checking
- output escaping
- showing error messages
- redirects
- etc..
Additionally, there’s no mechanism for enabling or disabling a standalone file. For example, if example.com/site1 has a plugin for contacting the administrator that uses a standalone file, then this will work for all sites on the multisite, even if the plugin is deactivated. Now anybody can contact the administrator of any site, even those for which you don’t want that option.
Additionally, no debugging support is provided, so if things go wrong, your only help is the PHP error log.
A good example of a standalone file that caused major problems would be timthumb.php.
A Page Template
This necessitates the creation of a page, with a specific URL, and then configuring it to use a page template.
Additionally, this requires all of the checks that admin AJAX and a standalone file require. On the plus side, you don’t need to bootstrap WordPress.
A REST API Endpoint
This uses an API that was built specifically for requests from javascript. Additionally, it’s much easier to work with. You can specify what parameters an endpoint takes, what capabilities are needed, etc It will do all the escaping, validation, and sanitising for you if you tell it what to expect.
If you don’t fulfill the requirements a request needs, it will tell you what you did wrong in the response, e.g. it will tell you that you can’t do something. Admin AJAX won’t unless you program it to.
Additionally, it makes the endpoints discoverable ( but only to users capable of using them ), provides mechanisms for filtering and overriding from other plugins, and avoids all the disadvantages of the other options.
So is it secure?
It depends, the question on its own is too simple.
But if you want a proper security answer, then no, nothing can ever be considered 100% secure, it’s impossible.
is it good or bad practice to use admin-ajax.php?
It is good practice, REST API endpoints built using the WP APIs are better though in every way imaginable