I’ve decided to take the advice of protecting the /wp-admin directory using .htaccess on a website which keeps getting hacked.
Whenever I upload .htaccess to /wp-admin, my browser says /wp-admin has a redirect loop.
This is /wp-admin/.htaccess:
AuthUserFile /.../.htpasswd AuthType Basic AuthName “restricted” Order Deny,Allow Deny from all Require valid-user Satisfy any
A server redirection checker says there is a 302 (Moved Temporarily) redirect from /wp-admin to /wp-admin
If I delete /wp-admin/.htaccess, the redirect checker says there is still a 302 redirect from /wp-admin, but now it is to /wp-login.php?redirect_to=http%3A%2F%2Fwww.example.com%2Fwp-admin%2F&reauth=1
Bare in mind the server redirect checker is not logged into WordPress.
Why does the presence of /wp-admin/.htaccess make /wp-admin redirect to itself?
Thanks.
PS – I am also using Better WP Security, but this made no changes to the site’s /.htaccess in terms of /wp-admin. i.e. I didn’t cloak /wp-admin