WordPress – wp-admin exposed


The admin login page (/wp-admin/) is accessible from any IP address.

Bussines Impact

An attacker could exploit this finding to perform BruteForce attacks on users or to create a similar phishing page in order to get admin \ user login credentials.


Restrict access to the login page (/wp-admin/) section via IP addresses.

you can set that kind of configuration in your .htaccess without any affectation, this is a sample code you can start using to play around:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelisted IP addresses
allow from xx.xx.xx.xxx
allow from xx.xx.xx.xxx

More Details

Hackers and bots trying to attack a WordPress site’s login page often look in its default location
instead of hosting the login page on /wp-login.php, install it in a directory folder with a random name.



How to preform SQLI TO RCE? One of the most interesting and important things about any site is the database. So, it’s important to protect

Read More »

Man-In-The-Middle Attacks

Do you know these people who just push themselves into conversations?That’s Man-In-The-Middle Attacks. And from a wider angle, Man-In-The-Middle Attacks, or MITM, are built around

Read More »