How does admin-ajax.php work?

We are having some issues with an external developer.

We want to limit access to the wp-admin site to internal access only (via VPN). Simply so it will not be attacked by external users. We can enumerate the admins from the site and do not want them to be phished.

Our developer is saying we can’t do that because the site needs to have the admin page accessible externally so the page will function. specifically the admin-ajax page.

What does the admin-ajax.php page do?

It is located in the admin section of WordPress. Is it accessed unauthenticated by end users? Is it an unsafe practice to have this available to external users?

admin-ajax.php is part of the WordPress AJAX API, and yes, it does handle requests from both backend and front. Try not to worry about the fact that it is in wp-admin. I think that is a strange place for it too, but it is not a security problem in itself. How this relates to “enumerate the admins”, I don’t know.