WordPress admin accessible without HTTP authentication
Description
The WordPress administration dashboard (/wp-admin/) is accessible without HTTP-level authentication, relying solely on application-layer authentication. Implementing HTTP authentication (such as Basic Auth or Digest Auth) provides an additional security layer that protects against brute-force attacks, credential stuffing, and unauthorized access attempts before attackers even reach the WordPress login form. This defense-in-depth approach significantly reduces the attack surface of the administrative interface.
Remediation
Implement HTTP authentication to protect the /wp-admin/ directory and wp-login.php file. The specific implementation depends on your web server:
For Apache (.htaccess):
1. Create a password file using htpasswd:
htpasswd -c /path/to/.htpasswd username2. Add the following to /wp-admin/.htaccess:
AuthType Basic AuthName "Restricted Access" AuthUserFile /path/to/.htpasswd Require valid-user3. Also protect wp-login.php by adding similar directives to the root .htaccess file with a Files directive.
For Nginx:
1. Create a password file using htpasswd (from apache2-utils package)
2. Add to your server configuration:
location ~ ^/(wp-admin|wp-login\.php) {
auth_basic "Restricted Access";
auth_basic_user_file /path/to/.htpasswd;
# Your existing PHP handling directives
}3. Reload Nginx configuration.Ensure the password file is stored outside the web root and uses strong, unique credentials separate from WordPress user accounts.