A client of mine (I built and host their site) recently had a penetration test done on their company infrastructure and one of the biggest things they got dinged for was that the login page for WordPress was publicly accessible.
The testing company identified that there was login attempt limiting active on the login page via Wordfence (there was also 2FA) but nevertheless this was deemed unacceptable / not safe enough.
The only solution (other than going headless) that was judged suitable was to block access to wp-login entirely via nginx (with whitelisted IPs). They also wouldn’t accept altering the login url (unless it was also in conjunction with blocking access via IP).
This seemed overkill to me but was actually easy to implement in the end so I might do the same on other clients websites.
Is this common practice?
Oh I also had to block access to xmlrpc using the same method.
[ad_2]