When you work with any CMS platform, in order for a content editor to access the CMS, they have to type in the back-end URL into a browser; with Sitecore this URL will look like this:

The whole point of a website is so people can come and take a look at your site and out of the box, anyone can access this URL. This means if some clever dick typed /Sitecore to the end of your domain they will get access to the login page. If they combine this with a brute forcing technique they may eventually get access to the backend.

For this reason, it's always best practice to prevent a site visitor, or anyone external to your company, from accessing the admin login page. If you run your Sitecore environment in a staging/live environment then this is pretty easy. You can disable the Sitecore admin on the live nodes and keep it open in your auth/staging environment:

sitecore_Authoring_Enviroment

Exposing the Sitecore backend to the whole world adds quite a big security vulnerability. The quick and easy way to lock an environment down is via IIS authentication. In IIS, open up your website and open the Sitecore folder:

sitecore_Authoring_Enviroment_1

Select the 'Admin' folder and select 'Authentication':

sitecore_Authoring_Enviroment_2

From the authentication dialog, make sure Anonymous Authentication is set to disable. You also need to repeat this on the 'login' folder:

sitecore_Authoring_Enviroment_3

After doing this, try to load your Sitecore admin:

sitecore_Authoring_Enviroment_4

When you try and view the back-end Sitecore login page you will now see 401.2 - Unauthorized error, instead of the Sitecore log-in page.