I have an ongoing discussion/debate with a client's IT department and I thought I'd bring the discussion here to get more feedback from the WP community. Well over a year ago, they were hacked, more like they had a plugin that had a vulnerability and that resulted in them getting hacked. They fixed the problem, but that also meant they had to tighten security at that time. One of the things they did was to restrict access on their load balancer from accessing wp-admin from outside of their network. Since then I've not only tightened security within the wp-confg file, resetting permissions, restricting how plugins get installed (through version control), adding some sort of version control for the entire site including database, but the biggest thing is that I installed Sucuri's plugin. All that to say, I want to open wp-admin back up so that we don't need to continue to open the VPN or add static IP addresses to the load balancer so that outside people (shipping vendor, guest bloggers, etc.) can access wp-admin. Am I wrong in thinking that everything I've done is good enough to open wp-admin again? What are your thoughts about this?