skip to Main Content

I have a few websites which use the following code to restrict the admin area. So far have not found a better solution than this.

##> COMMENT - WordPress Admin Area Passwords 
location ^~ /wp-admin/ { 
auth_basic "Restricted Access"; 
auth_basic_user_file /home/bea/panel/security/.htpasswd; 

location ~ .php$ { 
include snippets/fastcgi-php.conf; 
fastcgi_pass unix:/var/run/php/php7.3-fpm-website123.com.sock; 
} 
} 

We are using a plug-in that allows users to see and under construction page but provides a login to allow website owner to view their website while it is being built. Have a look at the image below.

As you can see below the user is prompted to fill in a password to access the website but also they are prompted to fill in the username and password to access the admin area. this pop-up only comes up when the user has put in a password to access the website and clicks on "Access the site".

Example

After contacting the plug-in creator, they suggested to exclude wp-admin/admin-ajax.php?

Or is there a better practice to follow. I have noticed from time to time that some plug-ins require access to the admin area to function correctly.

I may have found a solution:

##> COMMENT – WordPress Admin Area Password, usally for LIVE sites

location /wp-admin {
        location ~ /wp-admin/admin-ajax.php$
        {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.com.sock;
        }

        location ^~ /wp-admin/ {
        auth_basic "Restricted Access";
        auth_basic_user_file /home/user/panel/security/._htpasswd;
        }
        location ~ .php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.sock;
        }
}

I just want somebody to validate the code above and check that it is secure? I’m still willing to offer a bounty to validate its level of security.

enter image description here

2

Answers


  1. Chosen as BEST ANSWER

    After playing around for many hours I have found a working solution but I am not quite sure if it is secure?

    location /wp-admin {
            location ~ /wp-admin/admin-ajax.php$
            {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.com.sock;
            }
    
            location ^~ /wp-admin/ {
            auth_basic "Restricted Access";
            auth_basic_user_file /home/user/panel/security/._htpasswd;
            }
            location ~ .php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.sock;
            }
    }
    

    But it is a working solution


  2. I think something like below should do the job for you

    location ^~ /wp-admin/ {
       auth_basic "Restricted Access";
       auth_basic_user_file /home/bea/panel/security/.htpasswd;
    
       location ~ .php$ {
          include snippets/fastcgi-php.conf;
          fastcgi_pass unix:/var/run/php/php7.3-fpm-website123.com.sock;
       }
    }
    
    location = /wp-admin/admin-ajax.php {
       include snippets/fastcgi-php.conf;
       fastcgi_pass unix:/var/run/php/php7.3-fpm-website123.com.sock;
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search