Login Page Exposed
Your WordPress login page is publicly accessible. Learn how to protect it from brute-force attacks.
What is this?
Your WordPress login page (wp-login.php and the wp-admin directory) is publicly accessible to anyone on the internet. This is how WordPress works out of the box — it's not a misconfiguration. But it does mean that automated bots constantly attempt logins, trying common passwords or credentials leaked in data breaches from other sites. Most WordPress sites receive hundreds of login attempts per day without the owner ever knowing.
Why does it matter?
A weak password or a reused password from another service is all it takes to give an attacker full admin access to your site. The login page being exposed isn't a vulnerability by itself — but it's the most common entry point for successful attacks. A question that comes up constantly: can you just rename the wp-admin folder? No — the path is hardcoded throughout WordPress core and thousands of plugins, and renaming it breaks the site. Plugins that claim to "hide wp-admin" actually only move the login URL and redirect unauthenticated visitors; the folder itself stays where it is. Hardening the login page is therefore about raising the effort required, not hiding it: the harder you make it for bots, the less likely they are to succeed before moving on to an easier target. The single highest-impact step is two-factor authentication — see the 2FA setup walkthrough for the plugin choice and rollout. The full attack pattern this defends against is covered in the brute-force protection walkthrough.
How to fix it
These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.
Step 1: Install a login rate-limiter. Go to WordPress admin → Plugins → Add New. Search for "Limit Login Attempts Reloaded" (free). Install and activate it. This locks out IP addresses after a set number of failed attempts.
Step 2: Enable two-factor authentication. Search for "WP 2FA" (free). Install and activate it. Follow the setup wizard to require a time-based code on login. This means a stolen password alone is no longer enough.
Optional Step 3: Change your login URL. Search for "WPS Hide Login" (free). This moves wp-login.php to a custom URL that bots won't know to target.
Note: This is noise reduction, not protection — fingerprinting tools find a moved login page in seconds via the form's distinctive HTML. Do it after steps 1 and 2, never instead of them.
For developers / SSH access
Restrict login access by IP address (best if you always log in from the same IP). Edit .htaccess:
<Files wp-login.php> Order deny,allow Deny from all Allow from YOUR.IP.ADDRESS </Files>
Note: Replace YOUR.IP.ADDRESS with your actual IP. Find it at whatismyip.com. This blocks all other IPs from even reaching the login page.
Install Fail2ban to automatically block IPs with repeated failed attempts (server-level, more robust than a plugin):
sudo apt install fail2ban
How to verify the fix
After installing a rate limiter, try entering the wrong password 5+ times in a row. You should be locked out with a message about too many attempts. Re-run your scan — this finding is informational, so it will remain as "info" even after hardening, since the login page is still technically accessible.
Re-run your scan to confirm this is resolved →Related issues
XML-RPC Enabled
XML-RPC lets attackers run thousands of login attempts at once. Learn how to disable it in two steps.
User Enumeration
WordPress is exposing your admin usernames via its REST API. Block it with one code snippet.
Prefer to have this handled for you? Get this fixed — Medium ($89) →