Every website management system has an admin panel — the backend where you update content, manage users, process orders, and control your site’s settings. For most businesses, this is the most sensitive thing they own online.

And for most businesses, it is accessible to everyone in the world.

The Problem With a Publicly Accessible Admin Panel

When your admin panel sits at a standard URL — /admin, /wp-admin, /administrator, /backend — and is reachable from any IP address, every attacker on the internet can attempt to log in.

The only barrier between them and your data is your password. That is not a comfortable position.

Automated attack tools run 24 hours a day, cycling through known admin URLs, testing default credentials, and running brute force attacks against login forms. The scripts do not sleep, do not get tired, and try millions of combinations across millions of websites simultaneously.

Which Admin Paths Attackers Target

Different platforms have different default admin paths, and automated tools check all of them:

  • WordPress: /wp-admin/ and /wp-login.php
  • Joomla: /administrator/
  • Magento: /admin/
  • Drupal: /user/login
  • Custom applications: /admin/, /dashboard/, /manage/, /backend/
  • cPanel hosting panels: Port 2083 or 2087

If your admin panel is at one of these standard locations, it will be found. See our dedicated post on WordPress brute force attacks for WordPress-specific guidance.

What an Attacker Can Do With Admin Access

For content sites (WordPress, Joomla, Drupal): Install malicious plugins that create backdoors, redirect visitors to phishing or malware sites, inject spam links throughout content, access stored user data and email addresses, or deface your website.

For e-commerce sites (Magento, WooCommerce): Access customer order history, addresses, and payment data; install payment skimming malware that captures card details at checkout; modify prices, issue fraudulent refunds, or export the customer database.

For custom applications: Access to whatever the application manages — customer records, documents, communications, financial data.

Real-World Incidents

Between 2018 and 2022, the Magecart group and related threat actors compromised thousands of Magento admin panels — primarily via brute force and credential stuffing against publicly accessible admin URLs — and installed payment card skimming scripts. Victims included hundreds of UK businesses, with customer card data exfiltrated without anyone’s knowledge for months at a time.

In 2020, the NCSC published guidance specifically warning UK businesses about credential stuffing attacks against public-facing admin panels, citing a significant increase in incidents.

The pattern is consistent across incident response reports: exposed admin panel plus weak or reused password equals breach.

What to Do Next

  • Restrict by IP address. This is the single most effective control. For most businesses, the admin panel only needs to be accessible from the office or from staff home connections. Configure your web server or hosting firewall to block all other IP addresses from accessing the admin path.
  • Move to a non-standard URL. Change /admin to something unpredictable. For WordPress, the WPS Hide Login plugin does this easily. For Magento, you can set a custom admin path via configuration. This eliminates most automated bots.
  • Require Multi-Factor Authentication (MFA). Even if an attacker has your password, MFA prevents them from logging in. Most platforms support MFA via plugins or built-in settings.
  • Use strong, unique passwords. A 20-character randomly generated password defeats brute force attacks. Use a password manager so you do not have to remember it.
  • Limit login attempts. Lock out IP addresses after repeated failed login attempts. This slows brute force attacks to a crawl and is available free on virtually every platform.
  • Keep software updated. Outdated admin panels sometimes have authentication bypass vulnerabilities — where an attacker can gain access without any password at all.

The combination of IP restriction and MFA makes your admin panel extremely difficult to attack remotely. Both measures are available for free on virtually every platform.

W3IT’s free security check checks whether common admin panel paths are publicly accessible on your domain. Run it now to see whether your most sensitive pages are exposed to the entire internet.