I’ve decided to take the advice of protecting the /wp-admin directory using .htaccess on a website which keeps getting hacked.
Whenever I upload .htaccess to /wp-admin, my browser says /wp-admin has a redirect loop.
This is /wp-admin/.htaccess:
AuthUserFile /.../.htpasswd AuthType Basic AuthName ârestrictedâ Order Deny,Allow Deny from all Require valid-user Satisfy any
A server redirection checker says there is a 302 (Moved Temporarily) redirect from /wp-admin to /wp-admin
If I delete /wp-admin/.htaccess, the redirect checker says there is still a 302 redirect from /wp-admin, but now it is to /wp-login.php?redirect_to=http%3A%2F%2Fwww.example.com%2Fwp-admin%2F&reauth=1
Bare in mind the server redirect checker is not logged into WordPress.
Why does the presence of /wp-admin/.htaccess make /wp-admin redirect to itself?
Thanks.
PS – I am also using Better WP Security, but this made no changes to the site’s /.htaccess in terms of /wp-admin. i.e. I didn’t cloak /wp-admin
Redirection depends on server configuration. You need to add
to your main .htaccess to prevent redirection.
You can refer the article Password-protect-wp-admin for more details
I know it’s an old question, but I recently ran into a similar problem and the
ErrorDocumentdirective alone did not solve it for me. In my case, I had an incorrectly formatted .htpasswd file. When I recreated one using thehtpasswdtool, everything worked as expected.Just thought I’d pass this along as an option in case someone else runs into the same thing.
Next to “ErrorDocument 401 default” , you need to make sure the password file is readable by the webuser. In my case it was not and error log showed “[authn_file:error] [pid 15990] (13)Permission denied: [client 54.212.212.54:33556] AH01620: Could not open password file: /home/xxx/.htpasswd”