Skip to main content

WordPress Admin.

Security Sensitive File Exposure

Publicly accessible wp-admin is a common brute force target

What does this check test?

This check probes for publicly accessible WordPress administration endpoints: `/wp-admin/`, `/wp-login.php`, and `/xmlrpc.php`. These are the default login and administration URLs for every WordPress installation. Finding these paths confirms the site runs WordPress and exposes its authentication interface to the internet, which is one of the most commonly attacked surfaces on the web.

Why does it matter?

WordPress powers a significant portion of the web, making `wp-login.php` one of the most targeted endpoints by automated bots. Attackers continuously run credential-stuffing and brute-force attacks against WordPress login pages using leaked password databases. The `/xmlrpc.php` endpoint is particularly dangerous because it supports a `system.multicall` method that allows testing hundreds of passwords in a single HTTP request, bypassing rate limiting. Compromised WordPress admin accounts grant full control over the site, including the ability to install malicious plugins and execute arbitrary PHP code.

Who is affected?

Any organization running WordPress should audit the accessibility of its admin endpoints. Sites using default WordPress login URLs without additional protection (IP allowlisting, 2FA, fail2ban) are at the highest risk. Even updated WordPress installations are vulnerable to brute-force attacks if the login page is unrestricted. This check is also useful for non-WordPress sites to confirm they are not inadvertently hosting leftover WordPress files.

Where does this apply?

Check `/wp-admin/`, `/wp-login.php`, and `/xmlrpc.php`. A response containing a WordPress login form, a redirect to `wp-login.php`, or XML-RPC method responses confirms the exposure. Also check for `/wp-content/`, `/wp-includes/`, and `/readme.html` which reveal the WordPress version.

How to fix it

Restrict access to `wp-admin` and `wp-login.php` by IP or VPN. For Nginx:
nginx 
location ~ ^/(wp-admin|wp-login\.php) {
    allow 10.0.0.0/8;
    deny all;
}
Disable XML-RPC if not needed:
nginx 
location = /xmlrpc.php {
    deny all;
    return 404;
}
Install a plugin like Wordfence or Limit Login Attempts for rate limiting and 2FA. Change the login URL using a plugin like WPS Hide Login. Always use strong, unique passwords and enable two-factor authentication. Keep WordPress core, themes, and plugins updated to patch known vulnerabilities.

References

AppVet checks WordPress Admin automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks