Can someone without the WiFi login and no physical access to a router still access it with the admin login?
This may be possible using cross-site request forgery. In this attack, the attacker triggers a request to your router, for example by including an image on his site:
<img src="http://192.168.1.1/reboot_the_router?force=true">
When a user visits his site, this triggers a request to the router.
The attacker's site can trigger requests, but not view responses. Not all routers are vulnerable to this. Setting a non-default password certainly protects against CSRF1.
There are plans to block such requests in the browser, but these haven't been implemented yet.
Edit 1: Setting a non-default password protects against CSRF in some cases. The attacker can no longer forge a request to login using the default credentials. However, if you are already logged in to the router he can use your current session.
Almost all routers are configured by default to only expose the administration interface to the "LAN" side and not to the internet. Some routers have the option to enable or disable this, so it would be good to check the settings of your router.
You can also test this using an online port scanner or this ShieldsUP! tool. These will check if they can access anything on your router from the internet.
Yes, easily.
There are a variety of ways an attacker can gain access to said router. Here are some attack vectors I have on top of my head:
Cross-site Request Forgery
Basically, your browser is connected to LAN. If you browser a page hosted on the attacker's server, then your browser is connected to it as well. Therefore, through your browser, the hacker can access your router admin page. Whether the hacker can get a response depends on the specifics of the implementation.
It is even easier if "browser" is replaced with "executable file".
You may refer to Sjoerd's post for technical details.
Exposed Admin Page
Many routers have the option of enabling external access to the admin page, in addition to internal access.
For example, your router has external IP 8.8.8.8, while internal IP is 192.168.0.X. If external access is enabled, anyone on the internet can type http://8.8.8.8 and see your router's admin login page.
This option is disabled by default.
VPN
VPN is another feature included in most home routers. The purpose is to allow you to access your home network from outside. By definition, you can connect the router's admin page once you're VPN connected.
VPN is likely disabled by default.