WordPress wp_doing_ajax Example: Scope AJAX-Only Logic Correctly

Last reviewed: May 12, 2026

WordPress code sometimes needs to behave differently when it runs under admin-ajax.php instead of a normal page load. The wrong way to detect that is by poking at globals or hand-checking constants everywhere. wp_doing_ajax() is the dedicated helper for determining whether the current request is a WordPress AJAX request.

This guide shows where that check belongs and why it should scope behavior, not replace proper request design.

Use it when one callable supports both normal and AJAX execution

<?php
function vulnwp_render_status_payload() {
	$data = array(
		'success' => true,
		'time'    => current_time( 'mysql' ),
	);

	if ( wp_doing_ajax() ) {
		wp_send_json_success( $data );
	}

	return $data;
}

This is the clean use case: one function supports two execution paths, and the AJAX branch returns the format that WordPress AJAX consumers expect.

Do not use it as a substitute for authorization

wp_doing_ajax() only tells you what request context is active. It does not say whether the current user is allowed to do anything. Capability checks, nonce verification, and input handling still need their own explicit path.

Prefer it over ad hoc constant checks

The code reference shows that the helper is the public API for this decision and passes through a filterable result. Reaching for the helper keeps intent clearer than scattering raw DOING_AJAX checks throughout the codebase.

Common mistakes

• Using context detection as authorization. AJAX context says nothing about permission.
• Checking implementation details directly everywhere. Use the public helper instead.
• Letting the same callable return incompatible shapes without reason. Keep the contract explicit.
• Adding AJAX-only behavior where a dedicated callback would be clearer. Context branching should stay deliberate.

Production checklist

• Use wp_doing_ajax() when behavior legitimately differs for AJAX requests.
• Keep nonce and capability checks separate.
• Return a consistent JSON contract from AJAX branches.
• Prefer explicit callbacks when branching becomes complex.
• Retest both AJAX and non-AJAX call paths after refactors.

Related reading

Pair this with the check_ajax_referer guide for request verification and with the wp_send_json_error article when the AJAX path needs structured failure output.

References and further reading

• WordPress Code Reference: wp_doing_ajax()
• WordPress Hook Reference: wp_doing_ajax filter
• WordPress Code Reference: wp_send_json_success()