All tools
WordPress tools

Login Exposure Checker

Enter any WordPress site URL to instantly check whether wp-login.php, wp-admin and xmlrpc.php are publicly accessible — then get a remediation plan.

wp-login.php status wp-admin redirect xmlrpc.php status HTTP status codes Remediation guidance No plugin needed
Get started free Sign in

Free · No credit card · 50 credits/day

What gets checked

URL checked Exposed if Risk Fix
/wp-login.php Returns 200 (login form visible) Brute force, credential stuffing IP whitelist, Basic Auth, or hide login URL
/wp-admin/ Returns 200 (no redirect or auth) Admin panel directly accessible Ensure redirect to wp-login.php or add Basic Auth
/xmlrpc.php Returns 200 or 405 (POST required) Multicall brute force, DDoS amplification Block in .htaccess unless Jetpack is active

Frequently asked questions

Why is exposing wp-login.php dangerous?

Automated bots continuously try username/password combinations (brute force) and known credentials from data breaches (credential stuffing). wp-login.php can also be used in DDoS amplification. Mitigate: add HTTP Basic Auth in front of the login page, whitelist your IP in .htaccess, change the login URL via WPS Hide Login, or use Cloudflare Access.

What is xmlrpc.php and should it be disabled?

Legacy XML-RPC API for remote WordPress management (pre-REST API). Attackers use its multicall method to test thousands of credentials in a single request, bypassing login throttle plugins. Disable via .htaccess unless you actively use Jetpack, older WordPress mobile apps, or a third-party service that specifically requires XML-RPC.

How do I restrict access to wp-login.php?

From most to least restrictive: (1) IP whitelist in .htaccess — Order deny,allow / Deny from all / Allow from YOUR.IP; (2) HTTP Basic Auth with .htpasswd — requires a password before the login form is even shown; (3) Change login URL — WPS Hide Login or Perfmatters move wp-login.php to a custom URL; (4) Cloudflare Access — adds SSO authentication. Combine options for defense in depth.

What HTTP status should wp-login.php return if it's protected?

401 (Unauthorized) — from HTTP Basic Auth, correct; 403 (Forbidden) — from .htaccess IP whitelist; 404 (Not Found) — when the login URL has been moved, best for obscurity. What you don't want: 200 (OK) — the login form is fully public; 301/302 redirect to /login/ — may still be publicly accessible.

Related WordPress tools

More tools for WordPress security hardening.

.htaccess Generator

Generate .htaccess rules to block xmlrpc.php and restrict wp-login.php.

wp-config.php Generator

Generate a hardened wp-config.php with DISALLOW_FILE_EDIT and FORCE_SSL_ADMIN.

Cron & REST API Viewer

Check WP-Cron and REST API status alongside login exposure diagnostics.

Find out if your WordPress login is exposed

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →