Title: DDoS on /wp-admin/admin-ajax.php Last modified: August 31, 2016 --- # DDoS on /wp-admin/admin-ajax.php * Resolved [IvanRF](https://wordpress.org/support/users/ivanrf/) * (@ivanrf) * [10 years, 4 months ago](https://wordpress.org/support/topic/ddos-on-wp-adminadmin-ajaxphp/) * Hi guys, unfortunately I’m under a DDoS attack. Random IPs enter to one page and then redirect to “`/wp-admin/admin-ajax.php`“, which throws 404. However, they are exhausting my resources and Wordfence is not able to stop them (I selected Level 3: High security). * Examples: **Sherwood Park, Canada** left … and tried to access non-existent page …/wp-admin/admin-ajax.php **Puchong Batu Dua Belas, Malaysia** left … and tried to access non-existent page …/wp-admin/admin-ajax.php **Szeged, Hungary** left … and tried to access non-existent page …/wp-admin/admin-ajax.php * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/) Viewing 5 replies - 1 through 5 (of 5 total) * Thread Starter [IvanRF](https://wordpress.org/support/users/ivanrf/) * (@ivanrf) * [10 years, 4 months ago](https://wordpress.org/support/topic/ddos-on-wp-adminadmin-ajaxphp/#post-7047885) * I forgot to mention that I gain access to my Admin page again by defining a `. htaccess` file on the /wp-admin/ folder. Only allowing my IP I was able to free some resources. * [Limit Access to wp-admin by IP](http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp-admin_by_IP) * Thread Starter [IvanRF](https://wordpress.org/support/users/ivanrf/) * (@ivanrf) * [10 years, 4 months ago](https://wordpress.org/support/topic/ddos-on-wp-adminadmin-ajaxphp/#post-7047987) * I found the root cause and it wasn’t an attack, just a BAD coded third-party plugin making calls on every site visit. * [rene-michaels](https://wordpress.org/support/users/rene-michaels/) * (@rene-michaels) * [10 years, 3 months ago](https://wordpress.org/support/topic/ddos-on-wp-adminadmin-ajaxphp/#post-7048179) * I have a similar problem. What plugin was causing the issue? * Thread Starter [IvanRF](https://wordpress.org/support/users/ivanrf/) * (@ivanrf) * [10 years, 3 months ago](https://wordpress.org/support/topic/ddos-on-wp-adminadmin-ajaxphp/#post-7048180) * > What plugin was causing the issue? * Monarch Social Sharing Plugin. * [wordpresslover7](https://wordpress.org/support/users/wordpresslover7/) * (@wordpresslover7) * [9 years, 5 months ago](https://wordpress.org/support/topic/ddos-on-wp-adminadmin-ajaxphp/#post-8568236) * How do you check which plugin make these calls ? Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘DDoS on /wp-admin/admin-ajax.php’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 5 replies * 3 participants * Last reply from: [wordpresslover7](https://wordpress.org/support/users/wordpresslover7/) * Last activity: [9 years, 5 months ago](https://wordpress.org/support/topic/ddos-on-wp-adminadmin-ajaxphp/#post-8568236) * Status: resolved