SecurityMedium

wp-login.php exposed without protection

The WordPress login page (wp-login.php) is accessible from the internet without any additional protection. It is a constant target of automated attacks.

Why it matters

Bots try thousands of login/password combinations per hour. Weak protection on administrator accounts can lead to complete takeover.

How to fix

  1. 1

    Restrict access by IP address (recommended)

    apache
    <Files wp-login.php>
  Order deny,allow
  Deny from all
  Allow from 1.2.3.4  # Replace with your IP
</Files>
  2. 2

    Add HTTP authentication (double barrier)

    bash
    # Create a .htpasswd file
htpasswd -c /chemin/hors/web/.htpasswd votre_utilisateur

# In .htaccess
<Files wp-login.php>
  AuthType Basic
  AuthName "Restricted area"
  AuthUserFile /chemin/hors/web/.htpasswd
  Require valid-user
</Files>
  3. 3

    Enable two-factor authentication (2FA)

    Wordfence, Two Factor Authentication (official WP plugin) or Google Authenticator for WordPress add an OTP layer. Essential for administrator accounts.

  4. 4

    Limit login attempts

    Limit Login Attempts Reloaded or WP Cerber Security automatically block IPs after N failed attempts.

Related articles

SecurityXML-RPC enabled on WordPressSecurityWordPress user enumerationSecurityWordPress cookies missing Secure, HttpOnly or SameSite flags

Ready to fix this issue on your site?

Audit my site for free →