The installation guide suggests that it is okay to open up the Admin Console to general internet, but according to Administration Console authentication bypass · Advisory · igniterealtime/Openfire · GitHub this should not be done. In the Install guide it has “Additionally an administrator can also open TCP 9090 (for http) and TCP 9091 (for https), if there is a need to remotely administrate Openfire connecting to its Admin Console” . Administration Console authentication bypass · Advisory · igniterealtime/Openfire · GitHub says “As a general rule, never expose the Openfire Admin Console to the general internet.”
Would be possible to add this note or something similar to the install guide? Some people including me may assume that it is now okay to open up the admin console to general internet for modern versions of Openfire.