I’m attempting to use a .htaccess file to block access to the wp-admin folder. I’ve read through the Brute Force Attacks doc (https://wordpress.org/support/article/brute-force-attacks/) and I’ve added the block below, using my ip addresses, to the .htaccess file and placed it in the wp-admin folder:
# Block access to wp-admin.
ErrorDocument 401 default
order deny,allow
allow from x.x.x.x
allow from y.y.y.y
allow from z.z.z.z
deny from all
It seems to be working but the error that a user receives is “This webpage has a redirect loop”. Is there a way to send the user to a 404 or another error doc instead of the redirect loop? I’m not really sure how that is occurring since there is nothing else in the .htaccess file.
I’m not password protecting the wp-admin folder and adding ErrorDocument 401 default doesn’t seem to work either.
2 Answers
Placing the htaccess file in the wp-admin directory did not work for me so I went a different route and it seems to be working very well. Below is what I have in my main htaccess file:
<files wp-login.php>
# set up rule order
order deny,allow
# default deny
deny from all
allow from x.x.x.x
allow from y.y.y.y
allow from z.z.z.z
</files>
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
