I want to protect all Wordpress admin interfaces (wp-login.php/wp-admin) in my server. To do this, I want to create a global config in Apache, asking for a fixed user/password (HTTP basic authentication), before reach the real WordPress login page. This will avoid overload PHP from password scan bots.
<FilesMatch "wp-login.php">
AuthUserFile /etc/wordpress.passwd
AuthName "TYPE USER wp AND PASSWORD wp"
AuthType Basic
require valid-user
</FilesMatch>
Works, any file named wp-login.php will ask for the password.
But when I run in a Wordpress site, its .htaccess has some kind of "priority" over the global config. When I access wp-login.php I just receive a 404 error. If I remove/rename .htaccess, FilesMatch works, but I lost the "path mask" feature, that is necessary.
Wordpress .htaccess is:
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
I'm looking for a way to FilesMatch directive has priority over the .htaccess (Rewrite module): ask for the password, not rewrite the URL (giving 404).
Any ideas?
Solved
Wordpress .htaccess rewrites everything, including the ErrorDocument directives, that are used by HTTP Basic Authentication, 401 and 403 return codes. I had personalized SHTML files for ErrorDocument (default in cPanel servers). So, instead of ask for a password, it rewrites the HTTP headers, asking for the password and showing a 404 error page at same time, letting the web browser crazy.
To fix, I just forced the default ErrorDocument messages: