Securing wp-admin folder – Purpose? Importance?

But if you protect wp-login.php, how would a hacker even get into the dashboard anyways?

An attacker could try to hijack or forge a valid authentication cookie. Recently there was a possibly vulnerability which made it »easier« to forge such a cookie: CVE-2014-0166 It was fixed with Version 3.7.3/3.8.3

How does “Code A” compare to “Code B”? Would you use one or the other, or both at the same time?

If you whitelist wp-admin/admin-ajax.php (like in »Code B«) this script could still act as contact point for an attacker to verify his cookie forgery and, on a success, as an entry point to manipulate data for each ajax-action which is not secured by a additional nonce. But even these could, theoretical, be guessed.

However, if you don’t need AJAX functionality for the public and have the possibility to whitelist all IPs for all your accounts, securing the wp-admin/ directory would reduce possible attacking vectors like described above.

But these method doesn’t protect your site from man-in-the-middle attacks or attacks by infected client computers, because those would pass the whitelist check.

Finally let me give you a personal classification to your first querstion:

How important is it to protect the “wp-admin folder”?

In my opinion it is more important to use safe passwords (maybe two factor authentication), safe secret keys (salts in wp-config.php) and, if possible, always a https connection when you administrate your WordPress, from the first request on (request https://…/wp-login.php). Also keep every component up to date and remove unused components (Plugin/Theme) from server. After that, you can still consider to protect the wp-admin directory.

Related Posts:

  1. Change Login URL Without Plugin
  2. Options for restricting access to wp-admin
  3. How to change “wp-admin” to something else without search-replacing the core?
  4. Block access to wp-admin
  5. Should I add the IP of the server that hosts my sites to the list of authorized IPs in the wp-admin/.htaccess?
  6. How to Change The WordPress Login URL Without Plugin
  7. 404 redirect wp-login and wp-admin after changing login url [closed]
  8. Couple questions about .htaccess, login page, updates
  9. Can I rename the wp-admin folder?
  10. “Too many redirects” ONLY when trying to access wp-admin page
  11. Use a different domain for SSL
  12. What is the best method to close off the backend?
  13. .htaccess in wp-admin produces a redirect loop
  14. Share same domain for wp-admin but for different website
  15. Wrong canonical link on wp-admin pages
  16. Can I rename the wp-admin folder?
  17. WordPress in sub directory wp-admin problem
  18. .htaccess rewrite rule for removing .php extension with exception of wp login and wp-admin
  19. Can’t access admin dashboard with wp-admin without /index.php after it
  20. Why should I password protect WP-Admin?
  21. Call to undefined function insert_with_markers
  22. Cannot log into WordPress Dashboard after removing/adding .htaccess
  23. Change WP-Login or WP-Admin
  24. Which HTTP headers to use for subdomain embedding?
  25. CDN + WP Admin Query – .htaccess redirection
  26. From 403 error to 500 internal server error
  27. FORCE_SSL_ADMIN not working
  28. Cannot Access Admin Area After Migration
  29. Wrong wp-admin URL
  30. Limit access to wp_admin
  31. I want to disable login of admin (/wp-admin) with email and make it accessible only with username
  32. password reset link being sent as HTTP?
  33. How do I host WordPress on a hidden domain through a reverse proxy?
  34. Logout USER form backoffice after 30 minutes of inactivity [closed]
  35. Do I have to face security problems if I changing default role to Contributor
  36. Hide username discovery
  37. Efficient way to check local WordPress php files and Database for malicious code? [duplicate]
  38. Renaming wp-admin without hard-coding it. Is it really possible?
  39. Need help for WordPress User Session Management?
  40. How login is possible, if I deny login page via .htaccess with allow ip
  41. Developer/Designer asking for admin access
  42. Redirect an entire WordPress site on a subdomain, except wp-admin
  43. Blank page when viewing wp-admin
  44. Is WordPress secure enough for a multi-user article directory?
  45. wp-admin going directly to 404
  46. WordPress /wp-admin redirect to wrong port in docker
  47. wp-admin and wp-login.php not Accessible after Cloudflare
  48. Can I rename the wp-admin folder?
  49. CSRF attack to create USER
  50. Disabling WP-Admin Caching in htaccess
  51. Can I rename the wp-admin folder?
  52. Limit access to wp-admin but still be able to log in from different locations?
  53. SSL doesn’t deliver parts of WordPress Administration Module
  54. Why WordPress not logout after I have close my browser?
  55. Making WP Admin Folder accessable JUST under a different link
  56. How to protect wp-admin from third party access?
  57. is exposed wp-admin site a serious security vulnerability
  58. sortable custom column in media library
  59. how do I force a single column layout in screen layout
  60. Sortable admin columns, when data isn’t coming from post_meta
  61. wp_list_table search box does not show
  62. What does a security risk in a plugin look like?
  63. How to remove the site health dashboard widget?
  64. What’s the purpose of admin canonical tag?
  65. How to display multiple custom columns in the wp-admin users.php?
  66. WordPress custom permalinks not working on OS X localhost
  67. How to Remove Checkbox for Excerpt Under Screen Options
  68. How to hide a specific user role option in a user role list?
  69. Embed WordPress Admin in an iframe
  70. Remove order field from Page Attributes box
  71. Disable the administration email address verification (new in 5.3)
  72. https://mydomain/wp-admin redirects to wp-login.php?redirect_to=https%3A%2F%2Fmydomain%2Fwp-admin%2F&reauth=1
  73. Allow administrators to pick post author on custom post type edit screen
  74. /wp-admin/ works but website doesn’t load
  75. Add column to pages table
  76. My email address is displaying an email which does not work. What do i do?
  77. Downgrade admin account by mistake
  78. Deploying WordPress for clients – what do they have access to?
  79. Removing Dashboard Menu Items Through The Database
  80. Can’t access wp-admin, redirects to http://%24domain/wp-admin/
  81. Can log as admin but dashboard missing [closed]
  82. How to allow WordPress updates to only one specific administrator?
  83. How can I remove commas when adding tags?
  84. Cannot change Connection Information in admin interface
  85. WordPress blog clone.. wp-admin issue
  86. How to take the help button and link off the dashboard
  87. How do I fix wp-admin error when exporting reusable blocks?
  88. Can’t acces login on new site
  89. WordPress Admin Panel Left Sidebar No showing on Post create page
  90. wp-config.php not affecting my site
  91. How to prevent spams from admin-ajax.php file?
  92. After changing Site http to https, can’t access wp login page with a digitalocean hosting
  93. Strange wp-admin problem for all users/adminstrators except the original one?
  94. adding existing menu page on new customer user role
  95. stop customize.php redirect to login page if admin is not logged in
  96. Organising and display thousands of photos in media library
  97. Checkbox not showing as checked on UserProfile (even with checked=”checked”)
  98. Get URL of current featured image with JS in edit post view
  99. WordPress Admin: open popup window on a custom button
  100. WordPress blog fails to open

Leave a Comment