Login Exposure Checker
Enter any WordPress site URL to instantly check whether wp-login.php, wp-admin and xmlrpc.php are publicly accessible — then get a remediation plan.
Free · No credit card · 50 credits/day
What gets checked
| URL checked | Exposed if | Risk | Fix |
|---|---|---|---|
| /wp-login.php | Returns 200 (login form visible) | Brute force, credential stuffing | IP whitelist, Basic Auth, or hide login URL |
| /wp-admin/ | Returns 200 (no redirect or auth) | Admin panel directly accessible | Ensure redirect to wp-login.php or add Basic Auth |
| /xmlrpc.php | Returns 200 or 405 (POST required) | Multicall brute force, DDoS amplification | Block in .htaccess unless Jetpack is active |
Frequently asked questions
Related WordPress tools
More tools for WordPress security hardening.
Find out if your WordPress login is exposed
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →