I'm attempting to use a .htaccess file to block access to the wp-admin folder. I've read through the Brute Force Attacks doc (/) and I've added the block below, using my ip addresses, to the .htaccess file and placed it in the wp-admin folder:

# Block access to wp-admin.

ErrorDocument 401 default

order deny,allow
allow from x.x.x.x 
allow from y.y.y.y 
allow from z.z.z.z 
deny from all

It seems to be working but the error that a user receives is "This webpage has a redirect loop". Is there a way to send the user to a 404 or another error doc instead of the redirect loop? I'm not really sure how that is occurring since there is nothing else in the .htaccess file.

I'm not password protecting the wp-admin folder and adding ErrorDocument 401 default doesn't seem to work either.

I'm attempting to use a .htaccess file to block access to the wp-admin folder. I've read through the Brute Force Attacks doc (https://wordpress/support/article/brute-force-attacks/) and I've added the block below, using my ip addresses, to the .htaccess file and placed it in the wp-admin folder:

# Block access to wp-admin.

ErrorDocument 401 default

order deny,allow
allow from x.x.x.x 
allow from y.y.y.y 
allow from z.z.z.z 
deny from all

It seems to be working but the error that a user receives is "This webpage has a redirect loop". Is there a way to send the user to a 404 or another error doc instead of the redirect loop? I'm not really sure how that is occurring since there is nothing else in the .htaccess file.

I'm not password protecting the wp-admin folder and adding ErrorDocument 401 default doesn't seem to work either.

• wp-admin
• htaccess
• security

• possible duplicate of .htaccess in wp-admin produces a redirect loop – kittsville Commented May 6, 2015 at 13:43
• Per your answer, did you try moving the ErrorDocument 401 default line to the end of your .htaccess file? I know I've run into situations with my own .htaccess file where the order of the commands is important. (Also, I note that in your answer, the deny from all line occurs before the allow from [x] lines, which may also be relevant.) – Pat J Commented May 6, 2015 at 15:23
• What I have below in my answer is actually working very well. When I try accessing wp-login.php from any other ip besides what is allowed it is blocked. – brandozz Commented May 6, 2015 at 15:37

2 Answers 2

Placing the htaccess file in the wp-admin directory did not work for me so I went a different route and it seems to be working very well. Below is what I have in my main htaccess file:

<files wp-login.php>
# set up rule order
order deny,allow
# default deny
deny from all
allow from x.x.x.x
allow from y.y.y.y
allow from z.z.z.z
</files>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default

You can also block access to wp-admin with htaccess/htpasswd, which will force users to enter an extra name/password before they can access wp-admin. This way, brute force attacks will be blocked on server level, they do not even reach the wordpress login mask.

You have to etit /wp-admin/.htaccess

Add the following lines:

AuthType Basic
AuthName "restricted area"
AuthUserFile /absolute-server-path-to-wp/wp-admin/.htpasswd
require valid-user

Please note: You need to insert the absolute server path! There you define the path were the password is stored.

You also need to generate the .htpasswd file. You can use a tool like: http://www.kxs/support/htaccess_pw.html

Upload the .htpasswd file to the location defined above in the line AuthUserFile. It should be located above the level which can be accessed by visitors of your site, so if your site is in /httpdocs/wordpress/, you might place it in /httpdocs.

More details about setting it up can be found here: How to protect a directory with htaccess