How to Change the admin-ajax.php Path in WordPress with WP Ghost

Secure your WordPress admin-ajax.php endpoint by changing its path, hiding wp-admin from AJAX URLs, and replacing paths in AJAX responses with WP Ghost (formerly Hide My WP Ghost). Unlike login or registration pages, admin-ajax.php handles every dynamic interaction on your site and is one of the most exploited endpoints in WordPress. Three layers of protection, one settings page.

Every time a visitor submits a form, filters WooCommerce products, loads more posts with infinite scroll, or sees a live search suggestion, admin-ajax.php does the work. It sits at /wp-admin/admin-ajax.php by default, and every exploit script targeting WordPress knows exactly where it is. Attackers use it to deliver XSS payloads, trigger remote code execution through vulnerable plugin hooks, and upload malicious files through improperly secured AJAX handlers.

Why You Need to Secure admin-ajax.php

Default /wp-admin/admin-ajax.php (exposed)	With WP Ghost (secured)
Every exploit script targets this exact URL	Custom path, exploit scripts get 404
URL contains “wp-admin”, confirms WordPress	wp-admin removed from AJAX URL
AJAX responses leak plugin/theme paths	All paths replaced in responses too
Server resources consumed processing attacks	Requests blocked before reaching PHP

---

How to Secure admin-ajax.php with WP Ghost

Activate Safe Mode or Ghost Mode

Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save.

---

Change the admin-ajax.php Path

This replaces the default /wp-admin/admin-ajax.php URL with a custom name. Every exploit script targeting the default path gets a 404 instead of reaching your AJAX handler.

Go to WP Ghost > Change Paths > Ajax Security. Find the Custom admin-ajax Path field. Enter a custom name. Click Save.

---

Hide wp-admin from the Ajax URL

Even after changing the filename, the AJAX URL may still contain “wp-admin” as a directory, which confirms WordPress to scanners. This option removes the wp-admin directory from the AJAX endpoint entirely.

In the same Ajax Security tab, switch on Hide wp-admin from Ajax URL. Click Save.

With both options enabled, your AJAX URL changes from something like /wp-admin/admin-ajax.php to just /my-custom-handler. No wp-admin, no admin-ajax.php. Nothing that identifies WordPress.

---

Change Paths in Ajax Calls

When WordPress responds to an AJAX request, the response often contains paths to images, scripts, and files that include /wp-content/, /wp-includes/, and plugin or theme directory names. These paths reveal your site’s structure to anyone inspecting network traffic.

This option intercepts AJAX responses and replaces all default WordPress paths with your custom paths.

In the Ajax Security tab, switch on Change Paths in Ajax Calls. Click Save.

This is especially important if you have already changed the wp-content path, changed the plugins path, or changed the themes path. Without this option, AJAX responses could leak the original paths and undo your work.

---

Verify with a Security Check

Go to WP Ghost > Security Check. Click Start Scan. The scan confirms the admin-ajax.php path is changed and hidden.

---

Troubleshooting

Theme or Plugin Compatibility Issues

Admin-ajax.php is deeply integrated into WordPress. Some themes or plugins may not handle custom AJAX paths gracefully. If you notice issues after changing the path:

Test AJAX-dependent features. Visit pages that use forms, live search, product filters, or infinite scroll. If any of these break, the custom AJAX path is likely the cause.

Clear all caches. Clear your browser cache, WordPress caching plugin, and CDN. Cached JavaScript may still reference the old path.

Check the browser console. Open your browser’s developer tools (F12) and look at the Console and Network tabs. Failed AJAX requests will show 404 errors pointing to the old path.

Disable “Change Paths in Ajax Calls” temporarily. If AJAX responses are causing issues, try disabling this option first while keeping the custom path active.

Use the Safe URL. If you are locked out, use the Safe URL parameter or the Emergency Disable guide.

---

Frequently Asked Questions

Will changing the admin-ajax.php path break my site?

No. All AJAX functionality continues working normally. Forms, live search, WooCommerce cart updates, Elementor editor, product filters, infinite scroll – everything that uses AJAX keeps working. WP Ghost rewrites the URLs at the server level, so plugins and themes do not need modifications.

Does this work with WooCommerce?

Yes. WooCommerce relies heavily on AJAX for cart updates, checkout processes, and product filtering. WP Ghost’s rewrite rules ensure all WooCommerce AJAX calls are properly routed through the custom path.

Do I need all three AJAX options enabled?

For maximum protection, yes. Each addresses a different vector. Changing the filename stops scripts targeting admin-ajax.php. Hiding wp-admin removes the directory identifier. Changing paths in AJAX calls prevents responses from leaking your site structure.

What about the REST API?

WordPress has two main API endpoints: admin-ajax.php and the REST API (wp-json). Many modern plugins use the REST API instead of or in addition to admin-ajax.php. WP Ghost lets you change the REST API path separately. For complete protection, secure both.

Does WP Ghost modify WordPress core files?

No. The admin-ajax.php file stays in /wp-admin/ exactly where WordPress expects it. WP Ghost uses URL rewrite rules to create virtual paths. Deactivating restores all defaults instantly.

---

Related Tutorials

Change and Hide the wp-admin Path – secure the admin dashboard alongside the AJAX endpoint.

Change REST API Path – secure the other major WordPress API endpoint.

Customize All WordPress Paths – change every path in one guide.

Firewall and Geo Security – block malicious traffic with the 8G Firewall.

Website Security Check – verify your configuration after making changes.