WordPress admin accessible without HTTP authentication

Description
  • It's recommended to restrict access to the WordPress administration dashboard using HTTP authentication. Password protecting your WordPress admin dashboard through a layer of HTTP authentication is an effective measure to thwart attackers attempting to guess user's passwords. Additionally, if attackers manage to steal a user's password, they will need to get past HTTP authentication in order to gain access to WordPress login form.
Remediation
  • Add server-side password protection (such as BasicAuth) to the /wp-admin/ directory. Consult web references for more information.
References