Wordpress "admin-ajax.php" 404 Error

Question

I created a website for a small bed and breakfast, but I found a problem, which I don’t understand if it is depended on WordPress or the server.

This website uses a pop-up animation to show the room description. The problem is that this popup has stopped working in the last week. From browser console, I noticed that the whole thing depends on a 404 error (admin-ajax.php not found). Here it is the detail:

jquery.js?ver=1.12.4:4 POST http://lettoacastello.net/wp-admin/admin-ajax.php 404 (Not Found)
send @ jquery.js?ver=1.12.4:4
ajax @ jquery.js?ver=1.12.4:4
(anonymous) @ script.js?ver=4.9.1:207
dispatch @ jquery.js?ver=1.12.4:3
r.handle @ jquery.js?ver=1.12.4:3

To be able to solve the problem temporarily, I simply reinstall WordPress from dashboard. The problem doesn’t occur again for a whole day, all works fine! But the next day all starts over and the problem presents again (this cycle continues like this every day). For this reason I do not understand if it is a server problem or not.

A last very important thing. The popup has no problems if I am logged into WordPress admin panel (the browser recognizes “admin-ajax.php” file).

The code was not written by me (the developer says that the problem does not depend on him).

However, I believe this is the portion of code that controls room popup:

jQuery(document).ready(function($){

$('.special-room button.btn, .rooms-sec button.btn').live('click', function(e){

    e.preventDefault();

    $('#room.modal').html('');

    var thislink = this;

    var page_id = $(this).data('id');



    $.ajax({

        url: ajaxurl,

        method: 'POST',

        data: 'action=_sh_ajax_callback&subaction=sh_room_detail&post_id='+page_id,

        success: function(res){

            $('#room.modal').html(res);

        }

    });



});

Please, can I ask you for help? Unfortunately I’m not very technical.

Thank you

Answer 1

If everything works when you are logged in, this is not a direct problem of your code, but a security issue: of course you are not allowed to call any stuff in /wp-admin/ (which is the folder for backend actions) if not logged in, but your code does not handle that very well.

If you need to run this without a login, some more work has to be done in PHP code. But helping out is difficult if we cannot see that code

Answer 2

Comment file: wp-admin/.htaccess --> #Order Allow,Deny AND #Deny from all Example:

<FilesMatch ".*\.(phtml|php)$">
#Order Allow,Deny
#Deny from all
</FilesMatch>
<FilesMatch "(index).php$">
#Order Allow,Deny
#Allow from all
</FilesMatch>

Greetings from Peru :D

Answer 3

I am taking this out of your comment:

Thanks @NicoHaase and @LawrenceCherone! After tinkering a bit with the admin-ajax.php file, I found the string that causes the problem. If I remove it, everything works correctly until the next day, when the string is automatically recreated.

The problem is that your website got Hacked, and script/software is injecting your website with this code.