I have recently been learning how to harden WordPress using the steps outlined on this page.
When I get to the stage where I use the HTTP Basic Authentication (that’s the one where the browser pops up with a login prompt) to protect the Login and Admin areas, and if I was to click cancel or fail to authenticate myself, the WordPress Login Form still appears, but in a less styled way.
I tried setting an ErrorDocument 401 (Authentication Required) in the .htaccess file, both in the WordPress root directory, and the wp-admin directory, with a message in quotes, that doesn’t work. Then I tried setting an ErrorDocument 403 (Forbidden) in both, with the same message in quotes, and it still shows.
Does anyone have any ideas on how to get around this?
Managed to figure it out and want to share it with others in case they’re having the same issue.
wp-admin, protect it using
wp-admin/.htaccess file, but that only works for the
wp-admin directory, and won’t affect the
wp-login.php file which is outside that directory.
Add protection to the
wp-login.php file using the
<files></files> directive in the root .htaccess file.
After doing that and reloading the page, failing to authenticate will no longer show the login page or anything related to wp-login.php.
Hope this helps someone out there. Please let me know if it does.