To change the admin-ajax.php path in WordPress, install WP Ghost, then go to WP Ghost > Change Paths > Ajax Security and set a custom name in the Custom admin-ajax Path field. For complete protection, also enable Hide wp-admin from Ajax URL (removes the /wp-admin/ directory from the AJAX URL entirely) and Change Paths in Ajax Calls (replaces default WordPress paths inside AJAX response data). After saving, your AJAX URL changes from /wp-admin/admin-ajax.php to something like /your-custom-handler. Every automated exploit script targeting the default endpoint gets a 404 instead of reaching your AJAX handler. All AJAX-powered features, forms, live search, WooCommerce cart, Elementor, continue working normally.
Why admin-ajax.php Is a Critical Security Target
admin-ajax.php is the file that handles every AJAX (asynchronous JavaScript) request in WordPress. It lives at /wp-admin/admin-ajax.php by default. Every time you submit a form, filter products in a WooCommerce shop, load more posts with infinite scroll, or see a live search suggestion, admin-ajax.php is doing the work behind the scenes.
Here is what makes it uniquely dangerous as an attack surface:
It is the execution gateway for virtually every plugin. When a plugin has a vulnerability, the exploit is almost always routed through /wp-admin/admin-ajax.php with a specific action parameter. Scanners and exploit scripts target this exact path with crafted payloads. If your AJAX endpoint is at the default URL, every plugin vulnerability on your site is reachable through it.
It accepts file uploads. Some AJAX handlers allow file uploads. If any plugin on your site has a vulnerable upload handler registered through admin-ajax.php, attackers can upload malicious PHP files directly to your server. This is a documented real-world attack pattern.
It works from the front end with no login required. Unlike wp-login.php or wp-admin which require authentication, admin-ajax.php accepts requests from unauthenticated visitors (for the wp_ajax_nopriv_ hooks that plugins register). Bots can hit it directly without any credentials.
Its URL contains /wp-admin/. Even if you change the filename, the default URL still contains the wp-admin directory, which immediately identifies your site as WordPress. Complete protection requires removing both.
The Three Layers of AJAX Protection
| Layer | What It Does | What It Blocks |
|---|---|---|
| Change admin-ajax.php Path | Renames the filename from admin-ajax.php to a custom name | Exploit scripts targeting the default filename (the majority of AJAX attacks) |
| Hide wp-admin from Ajax URL | Strips the /wp-admin/ directory from the AJAX URL entirely | WordPress fingerprinting through AJAX URL structure |
| Change Paths in Ajax Calls | Replaces default WordPress paths (wp-content, plugins, themes) inside AJAX response data | Path leakage through AJAX responses that would undo your other path changes |
Each layer addresses a different attack vector. Enable all three for complete protection.
How to Change admin-ajax.php With WP Ghost
- Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save.
- Go to WP Ghost > Change Paths > Ajax Security.
- In the Custom admin-ajax Path field, enter a custom name (a randomized default is already suggested). Avoid obvious names like
ajax-handler,async-request, ordata-endpoint. Use something random and unique. - Switch on Hide wp-admin from Ajax URL. This strips the
/wp-admin/directory from the AJAX URL so it no longer reveals WordPress. - Switch on Change Paths in Ajax Calls. This replaces WordPress paths inside AJAX response data (important if you’ve already changed wp-content, plugins, or themes paths, otherwise AJAX responses could leak the originals).
- Click Save.
- Run a Security Check at WP Ghost > Security Check to verify the changes are working.
Full walkthrough in the Change admin-ajax.php Path guide.
What Happens After You Save
The changes take effect immediately. The experience for your visitors stays identical, but behind the scenes:
All AJAX functionality continues working normally. Forms, live search, WooCommerce cart updates, Elementor editor, product filters, infinite scroll, everything that uses AJAX keeps functioning. WP Ghost rewrites URLs at the server level, so plugins and themes don’t need any modifications.
Automated exploit scripts break at the first request. Every script targeting /wp-admin/admin-ajax.php with crafted payloads gets a 404 instead of reaching your AJAX handler. The attack fails before any PHP runs, no database queries, no server resources wasted.
Your site stops being identifiable as WordPress through AJAX. With all three options enabled, there’s no trace of WordPress in your AJAX URLs or responses. Theme detectors and scanners that rely on AJAX fingerprinting come up empty.
Your public pages are unaffected. AJAX path changes only affect how your site handles background requests. Public URLs, SEO, sitemaps, and page content remain exactly the same.
Don’t Forget the REST API
WordPress has two main API endpoints: admin-ajax.php (the older one) and the REST API at /wp-json/. Many modern plugins use the REST API instead of, or in addition to, admin-ajax.php. Securing only one leaves the other exposed.
Change the REST API path separately at WP Ghost > Change Paths > API Security. Full guide at Change REST API Path. For complete API security, secure both endpoints.
Troubleshooting After the Change
Most sites work perfectly after changing the AJAX path. If something breaks (broken forms, post editor errors, layout issues), try these fixes in order:
Clear all caches. WordPress caching plugin, CDN cache, browser cache. Cached pages may contain old AJAX URLs until caches refresh.
Run a Frontend Test. At WP Ghost > Change Paths, click Frontend Test and follow any server configuration instructions it shows.
Resave permalinks. Go to Settings > Permalinks in WordPress and click Save Changes (no need to modify anything). This refreshes rewrite rules.
Re-login to admin. If you also changed the wp-admin path, log out and log back in through the new admin URL.
Revert if needed. Some themes or plugins hardcode the /wp-admin/admin-ajax.php path instead of using the standard WordPress AJAX API. If a specific feature breaks and the fixes above don’t help, revert to the default AJAX path and contact the plugin/theme developer about the issue.
Frequently Asked Questions
How do I change admin-ajax in WordPress?
Install WP Ghost, then go to WP Ghost > Change Paths > Ajax Security. Set a custom name in the Custom admin-ajax Path field. Enable Hide wp-admin from Ajax URL to strip the /wp-admin/ directory, and Change Paths in Ajax Calls to replace WordPress paths in AJAX responses. Save, clear your cache, and run a Security Check to verify.
Why is admin-ajax.php such a high-priority security target?
Because it is the execution gateway for virtually every WordPress plugin. When a plugin has a vulnerability, the exploit is almost always routed through /wp-admin/admin-ajax.php with a specific action parameter. It also accepts file uploads through some handlers, so plugin upload vulnerabilities can be exploited directly through it. Changing the path means exploit scripts can’t find the endpoint and attacks fail before any vulnerable code runs.
Will changing admin-ajax.php break my site?
In most cases, no. WP Ghost uses rewrite rules that transparently redirect AJAX requests to the correct handler. Plugins and themes that use the standard WordPress AJAX API (wp_ajax_ and wp_ajax_nopriv_ hooks) continue working without changes. However, some themes or plugins hardcode the default path. If you see broken forms or features after the change, check in a private browser and if needed revert to the default path.
Does this work with WooCommerce?
Yes. WooCommerce uses admin-ajax.php extensively for cart updates, product filters, checkout processing, and more. WP Ghost is fully compatible with WooCommerce. All AJAX-powered features continue functioning normally with a custom AJAX path.
Will Elementor still work after changing the AJAX path?
Yes. Elementor relies heavily on AJAX for its editor, form submissions, and dynamic widgets. WP Ghost’s rewrite rules route Elementor’s AJAX calls through the custom path correctly. If you experience specific issues with the Elementor editor, check cache settings and try running a Frontend Test.
Do I need all three AJAX options enabled?
For maximum protection, yes. Each option addresses a different vector: changing the filename stops scripts targeting admin-ajax.php, hiding wp-admin removes the directory identifier from the URL, and changing paths in AJAX responses prevents your responses from leaking your site structure. You can enable them individually, but together they provide complete AJAX security.
What about the REST API? Is admin-ajax.php the only endpoint I need to protect?
No. WordPress has two main API endpoints: admin-ajax.php (older) and the REST API at /wp-json/ (newer). Many modern plugins use the REST API instead of or in addition to admin-ajax.php. Change the REST API path separately at WP Ghost > Change Paths > API Security. For complete protection, secure both.
Does WP Ghost modify WordPress core files?
No. WP Ghost never touches, moves, or renames any WordPress file. The actual admin-ajax.php file stays in /wp-admin/ exactly where WordPress expects it. WP Ghost uses URL rewrite rules to create virtual paths. Deactivating the plugin restores the original URL instantly.