About 2 weeks ago, I release an update to r WP-Email, WP-Polls, WP-PostRatings and WP-PostViews which added some nonce check and moved the AJAX request to be handled by /wp-admin/admin-ajax.php.
3 common issues that users are facing.
“-1” or “Failed To Verify Referrer”
This means that most likely you are using a caching plugin like W3 Total Cache (W3TC) and the Javascript being minified/combined and cached is outdated. Just empty the JS/CSS cache under the “Minify” section of W3TC in WP-Admin and W3TC will regenerate it again. This will solve the problem.
Password Protected /wp-admin/ Will Not Work
If you are using .htpasswd to protect your /wp-admin/ folder, AJAX request to /wp-admin/admin-ajax.php will not work. This problem is not unique to my plugin. Any WordPress Plugins that uses the WordPress AJAX API will break. As mentioned in this Codex, Hardening WordPress:
Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php
To bypass this, check out this tutorial, Password protecting the wp-admin directory, this tutorial will teach you how to whitelist admin-ajax.php in your /wp-admin/ using .htaccess.
I still hope in the future version of WordPress, they will separate front facing AJAX requests vs backend AJAX requests.
Your WP-Admin Is HTTPS While Your Site Is Not
If your WP-Admin is behind SSL aka HTTPS and you have the following config in your wp-config.php define('FORCE_SSL_ADMIN', true);
, the AJAX will fail because https://yoursite.com is different from http://yoursite.com and the browser treat it as different domain.
To solve this issue do the following:
Find:
'ajax_url' => admin_url('admin-ajax.php'),
Replace:
'ajax_url' => admin_url('admin-ajax.php', (is_ssl() ? 'https' : 'http')),
What the code does is basically forcing http to be used when calling admin-ajax.php for AJAX request. Again this is a hack, I am trying to figure a way around it.
I have pushed the code to trunk of all the respective plugins.