If CAS is the only login method, I think your blog should be protected. But, the atackers don’t care about alternative login methods. They simply send request against wp-login.php
.
So if you still have an account named “admin”, CAS cannot protect your blog. Let’s think about the worst case. Assuming you have an account named “admin” with the password “1234”, but you use always CAS to login but with a different admin account. The attackers still can access your blog through wp-login.php
and can get access.
You can try to rename the wp-login.php
and test if everything still works. If it so, fine. If not, you have to protect your blog with other additional methods (like login löockdown).
Related Posts:
- Prevent Brute Force Attack
- Too many login attempts
- https rewrite not working for All in one security Brute force > rename login url
- How to resolve these findings from security audit
- How to Find WordPress site has backdoor login Codes
- What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
- I found this in a plugin. What does it do? is it dangerous?
- Disabled plugins are they security holes – rumor or reality?
- What could a hacker do with my wp-config.php
- Change success message in plugin Theme my login
- How to get Login Error messages on a custom template
- Should we use plugins that aren’t available from the official WordPress site?
- Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
- How to get user-meta from Social Login registered users?
- Auto login using Active Directory and Windows Authentication
- Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
- How can I make content disappear when a user logs in?
- Tracking last login and last visit
- login to wordpress with Get variables instead of Post
- Disabled plugins are security holes – rumor or reality?
- Should I use RIPS tool to test my themes and plugins?
- How can I secure a WordPress blog using OpenID from a single provider?
- How many security plugins are too many? [closed]
- Upgrading WordPress 4.0 asks for FTP password
- Login with email (WP Modal Login)
- Check if the front end user is log in or not
- wordpress custom login successful redirect hook
- How Restrict access to admin dashboard by specific static ip?
- WordPress with CAS+LDAP and standard WP accounts
- When is it useful to use wp_verify_nonce
- Protecting against malicious code in WordPress plugin updates
- Weird problems after recovery from security breach
- How can we deal with unmaintained plugins with vulnerabilities?
- Security issues with WP sites
- Escape when echoed
- Preventing BFA in WordPress without using a plugin
- wp_authenticate but not logged in
- How can I make uploaded images in the editor load with HTTPS?
- How do i login when i cant access wp-login.php?
- How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
- WordPress filter that hook after each action/filter hook
- The safest way to automate WordPress backups
- Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
- Plugin: Google Analytics for Dashboard error – Timestamp is too far from current time
- wp_set_auth_cookie causes 403 error in the wooCommerce checkout
- How to save generated JWT token to cookies on login?
- Contributive page where people logged in can write
- Why can’t I access my Intranet LDAPS with NADI?
- Stop Plugin Enumeration [closed]
- Login cookies set as wrong domain
- Hack-Proof OR Security in WordPress — is it real?
- Login Customizer doesn’t change the background of the register form
- Security and Must Use Plugins
- Is Timthumb still broken? What security measures should be taken?
- Prevent direct access to WordPress plugin assets?
- Is it safe to use admin-ajax.php in the frontend?
- Login problem after installing my written plugin [closed]
- Specific way to allow WordPress users to view their current password? And edit it?
- Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
- How to prevent plugins from sniffing/stealing other plugins’ options?
- How to deal with Slow HTTP POST (slowloris) vulnerability
- Running multiple security plugins
- how do I secure my WP website from hackers? [closed]
- Possibility to login without password
- how do i change my website facebook login button to another text immediately user login? [closed]
- WordPress unable to write files in the server
- Custom PHP Page Using WordPress login
- Manage PDF downloads and protected pages
- login in wordpress using gmail account
- How can I replace content on site generated from plugin without changing plugin
- WP Insert Post If user refreshes override new post
- Hide plugins and theme from public
- WordPress search shows protected content
- Security of a WordPress Plugin
- force logged in user to stay in the dashboard
- Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
- Share login credential with QR code
- Discern a specific plugin’s action hooks
- prevent anonymous access to WordPress site (non-admin site)
- “Fire Secure” menu item
- Securing a plugin pop-up window
- When the user entered an unauthorized url redirect to login page
- using wordpress login details for other website / application / forum?
- wp_signon returns user, in popup window, but the user is not logged in
- WordPress SSO SAML
- How to Create Custom Dashboard for my Laundry Website?
- User content database [closed]
- AJAX login without a plugin does not work. when add a action to function.php
- How can i see/log all requests coming from a registration form (not from the UI)?
- Redirect default login page to a custom page [duplicate]
- Site is continuously accessing by several IPs
- using .htaccess only for wordpress security no plugins
- First argument is expected to be a valid callback for cp_admin_init and _canonical_charset
- Change All Login/Signup Links in Plugin
- How I can hide my wp folders from Inspect Element (Developer Tools)
- How to delete Password Protected posts cookies when a user logged out from the site
- WordPress Homepage Login
- I cannot login after installing the wp-login timeout setting plugin
- WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
- Block Root REST API Route using custom &/or iThemes