When you work with any CMS platform, in order for a content editor to access the CMS, they have to type in the back-end URL into a browser; with Sitecore this URL will look like this:
The whole point of a website is so people can come and take a look at your site and out of the box, anyone can access this URL. This means if some clever dick typed /Sitecore to the end of your domain they will get access to the login page. If they combine this with a brute forcing technique they may eventually get access to the backend.
For this reason, it’s always best practice to prevent a site visitor, or anyone external to your company, from accessing the admin login page.
If you run your Sitecore environment in a staging/live environment then this is pretty easy. You can disable the Sitecore admin on the live nodes and keep it open in your auth/staging environment.
Exposing the Sitecore backend to the whole world adds quite a big security vulnerability. The quick and easy way to lock an environment down is via IIS authentication. In IIS, open up your website and open the Sitecore folder.
Select the ‘Admin’ folder and select ‘Authentication’.
From the authentication dialog, make sure Anonymous Authentication is set to disable. You also need to repeat this on the ‘login’ folder:
After doing this, try to load your Sitecore admin.
When you try and view the back-end Sitecore login page you will now see 401.2 – Unauthorized error, instead of the Sitecore log-in page.