.htaccess in wp-admin produces a redirect loop

by

I’ve decided to take the advice of protecting the /wp-admin directory using .htaccess on a website which keeps getting hacked.

Whenever I upload .htaccess to /wp-admin, my browser says /wp-admin has a redirect loop.

This is /wp-admin/.htaccess:

AuthUserFile /.../.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any

A server redirection checker says there is a 302 (Moved Temporarily) redirect from /wp-admin to /wp-admin

If I delete /wp-admin/.htaccess, the redirect checker says there is still a 302 redirect from /wp-admin, but now it is to /wp-login.php?redirect_to=http%3A%2F%2Fwww.example.com%2Fwp-admin%2F&reauth=1

Bare in mind the server redirect checker is not logged into WordPress.

Why does the presence of /wp-admin/.htaccess make /wp-admin redirect to itself?

Thanks.

PS – I am also using Better WP Security, but this made no changes to the site’s /.htaccess in terms of /wp-admin. i.e. I didn’t cloak /wp-admin

Contents hide
Answers:
Method 1
Method 2
Method 3

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Redirection depends on server configuration. You need to add

ErrorDocument 401 default

to your main .htaccess to prevent redirection.
You can refer the article Password-protect-wp-admin for more details

Method 2

I know it’s an old question, but I recently ran into a similar problem and the ErrorDocument directive alone did not solve it for me. In my case, I had an incorrectly formatted .htpasswd file. When I recreated one using the htpasswd tool, everything worked as expected.

Just thought I’d pass this along as an option in case someone else runs into the same thing.

Method 3

Next to “ErrorDocument 401 default” , you need to make sure the password file is readable by the webuser. In my case it was not and error log showed “[authn_file:error] [pid 15990] (13)Permission denied: [client 54.212.212.54:33556] AH01620: Could not open password file: /home/xxx/.htpasswd”


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x