Introduction

A 400 Bad Request error on admin-ajax.php usually means the request reached WordPress infrastructure but arrived in a form the server or application refused to process. That often breaks core admin actions, plugin features, live search, background saves, or checkout flows that depend on AJAX. The quickest way to recover is to identify what became invalid in the request path instead of disabling random plugins one by one.

Symptoms

  • WordPress admin actions spin or fail without completing
  • Plugin features such as filters, carts, or live previews stop working
  • Browser developer tools show 400 responses from wp-admin/admin-ajax.php
  • The issue started after enabling a plugin, CDN, WAF, or custom code
  • Logged-in users hit failures that anonymous visitors do not see

Common Causes

  • A plugin or theme sends malformed AJAX parameters, missing action names, or invalid nonces
  • A WAF, security plugin, or CDN blocks or rewrites request bodies and query strings
  • A proxy, load balancer, or cache layer strips required headers or cookies
  • Mixed site URLs or reverse-proxy settings send the request to the wrong host or scheme
  • Server limits, rewrite rules, or custom hardening break expected AJAX behavior

Step-by-Step Fix

  1. Open browser developer tools and inspect the failing admin-ajax.php request so you can see the exact method, payload, cookies, and response body.
  2. Identify which page action triggers the failure, then map it to the plugin, theme feature, or custom code using that AJAX endpoint.
  3. Confirm the request includes the expected action parameter, nonce, and authentication cookies if the operation requires a logged-in session.
  4. Review recent changes in plugins, theme code, security layers, or proxy settings that could alter request bodies, headers, or site URLs.
  5. Check whether the same AJAX request succeeds when bypassing CDN or WAF layers so you can isolate whether the 400 happens before or inside WordPress.
  6. Compare WordPress Address and Site Address settings with the actual hostname and protocol users are using in the browser.
  7. Inspect server logs, WAF events, and PHP notices for rejected payloads, missing parameters, or mod_security style blocks tied to admin-ajax.php.
  8. Disable only the suspected plugin, rule, or recent customization long enough to confirm the root cause, then replace it with a narrow fix.
  9. Retest the real user workflow, such as saving settings, filtering products, or submitting forms, so you know the repaired AJAX path works end to end.