Security fix guide
INFO

Login Page Exposed

Your WordPress login page is publicly accessible. Learn how to protect it from brute-force attacks.

What is this?

Your WordPress login page (wp-login.php and the wp-admin directory) is publicly accessible to anyone on the internet. This is how WordPress works out of the box — it's not a misconfiguration. But it does mean that automated bots constantly attempt logins, trying common passwords or credentials leaked in data breaches from other sites. Most WordPress sites receive hundreds of login attempts per day without the owner ever knowing.

Why does it matter?

A weak password or a reused password from another service is all it takes to give an attacker full admin access to your site. The login page being exposed isn't a vulnerability by itself — but it's the most common entry point for successful attacks. Hardening the login page is about raising the effort required: the harder you make it for bots, the less likely they are to succeed before moving on to an easier target.

How to fix it

These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.

1

Step 1: Install a login rate-limiter. Go to WordPress admin → Plugins → Add New. Search for "Limit Login Attempts Reloaded" (free). Install and activate it. This locks out IP addresses after a set number of failed attempts.

2

Step 2: Enable two-factor authentication. Search for "WP 2FA" (free). Install and activate it. Follow the setup wizard to require a time-based code on login. This means a stolen password alone is no longer enough.

3

Optional Step 3: Change your login URL. Search for "WPS Hide Login" (free). This moves wp-login.php to a custom URL that bots won't know to target.

For developers / SSH access
1

Restrict login access by IP address (best if you always log in from the same IP). Edit .htaccess:

<Files wp-login.php>
  Order deny,allow
  Deny from all
  Allow from YOUR.IP.ADDRESS
</Files>

Note: Replace YOUR.IP.ADDRESS with your actual IP. Find it at whatismyip.com. This blocks all other IPs from even reaching the login page.

2

Install Fail2ban to automatically block IPs with repeated failed attempts (server-level, more robust than a plugin):

sudo apt install fail2ban

How to verify the fix

After installing a rate limiter, try entering the wrong password 5+ times in a row. You should be locked out with a message about too many attempts. Re-run your scan — this finding is informational, so it will remain as "info" even after hardening, since the login page is still technically accessible.

Re-run your scan to confirm this is resolved →

Related issues

XML-RPC Enabled

XML-RPC lets attackers run thousands of login attempts at once. Learn how to disable it in two steps.

User Enumeration

WordPress is exposing your admin usernames via its REST API. Block it with one code snippet.

← View full security checklist

Prefer to have this handled for you? Get this fixed — Medium ($89)