But if you protect wp-login.php, how would a hacker even get into the dashboard anyways?
An attacker could try to hijack or forge a valid authentication cookie. Recently there was a possibly vulnerability which made it »easier« to forge such a cookie: CVE-2014-0166 It was fixed with Version 3.7.3/3.8.3
How does “Code A” compare to “Code B”? Would you use one or the other, or both at the same time?
If you whitelist wp-admin/admin-ajax.php
(like in »Code B«) this script could still act as contact point for an attacker to verify his cookie forgery and, on a success, as an entry point to manipulate data for each ajax-action which is not secured by a additional nonce. But even these could, theoretical, be guessed.
However, if you don’t need AJAX functionality for the public and have the possibility to whitelist all IPs for all your accounts, securing the wp-admin/
directory would reduce possible attacking vectors like described above.
But these method doesn’t protect your site from man-in-the-middle attacks or attacks by infected client computers, because those would pass the whitelist check.
Finally let me give you a personal classification to your first querstion:
How important is it to protect the “wp-admin folder”?
In my opinion it is more important to use safe passwords (maybe two factor authentication), safe secret keys (salts in wp-config.php
) and, if possible, always a https connection when you administrate your WordPress, from the first request on (request https://…/wp-login.php
). Also keep every component up to date and remove unused components (Plugin/Theme) from server. After that, you can still consider to protect the wp-admin
directory.