<b>Admin Surface Reduction SOP</b>
You can't brute-force a login you can't find. Shrink the attack surface.
— Step 1: Restrict <code>/wp-admin</code> by IP allowlist or HTTP auth where the team works from fixed networks.
— Step 2: For roaming teams, gate it behind your VPN range instead.
— Step 3: Move or protect <code>/wp-login.php</code>; confirm the default path now returns 403 to outsiders.
— Step 4: Verify <code>admin-ajax.php</code> stays reachable — it must, for front-end features.
— Step 5: Block direct access to <code>readme.html</code>, <code>license.txt</code>, and <code>/wp-content/debug.log</code>.
— Step 6: Test from a phone on cellular to confirm an outside IP is actually blocked.
Do this on every internal-only admin.
Run this every time.
Lockdown Ledger
@LockdownLedger
<b>Admin Surface Reduction SOP</b>
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.