[wp-trac] [WordPress Trac] #45022: Add a wp-ajax.php at the root of wordpress

WordPress Trac noreply at wordpress.org
Tue Oct 2 12:50:06 UTC 2018 

#45022: Add a wp-ajax.php at the root of wordpress
--------------------------+------------------------------------------------
 Reporter:  tofandel      |      Owner:  (none)
     Type:  feature       |     Status:  new
  request                 |
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:  trunk
 Severity:  normal        |   Keywords:  needs-patch needs-docs needs-codex
  Focuses:                |
--------------------------+------------------------------------------------
 Currently there is an admin-ajax.php that works great but has very poor
 performance because of the is_admin() that returns true and so some
 plugins or even the core start do some heavy computation being
 configuration arrays with tons of translations to doing heavy database
 queries, although normal for the backend ajax; it would be great to have a
 non admin wp-ajax in WordPress 5.

 It would be located at the root of wordpress so the admin_hooks won't have
 to load/fire, the wp_query won't have to process and frontend plugins will
 be able to use this ajax instead of the old admin ajax, greatly reducing
 the loading time of the ajax-call and the load on the server, (+ there is
 already the nopriv hook so the separation will be easy to implement for
 plugins).

 There is currently workarounds such as just using parameters in the url
 (like wc-ajax for woocommerce) but those are not actually better because
 the wp_query still tries to do some work beforehand and some plugins do
 whatever they want with this and sometimes it's really ugly...

 Also some plugins use is_admin() wrong (I did the same when I first
 started because of the name I thought it would check that the current user
 would be an admin, until later I found out this wasn't the case and went
 back and fixed all those security holes) and this creates huge security
 issues because you can run those supposedly is_admin restricted code in an
 ajax call and many plugin authors make this mistake.

 A core and unified way of doing that would be great for the community,
 better performances for users, better separation of frontend and backend,
 less security risks and happier developers spending less time implementing
 their ajax hooks.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45022>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list