Try putting the # Protect wp-login
section before the rewrite section instead of at the end. That usually does the trick for me.
Unfortunately, that doesn’t seem to work. I even gave up and tried placing the authentication section in its own .htaccess file in wp-admin instead (just to have some sort of protection), but much to my surprise it was still causing the password prompts to appear all over my site. I’m starting to wonder if something else might be going on, but I don’t know.
You may want to see my post here:
http://wordpress.org/support/topic/htaccess-wp-admin-and-tml?replies=6#post-5439065
HTTP Authentication in Apache was really meant for a directory. But I guess it depends on your host configuration.
Hi Thomas, thanks for the response. I tried the code mentioned in your post for placing the .htaccess into the wp-admin directory, but unfortunately it didn’t quite work for me. Although the password prompts weren’t appearing all over the site anymore, they also weren’t appearing at wp-login.php or even when I was logged into the dashboard.
However, I tried fiddling with it a bit, and got something sort of working, though it’s really buggy:
AuthType Basic
AuthName "Protected Area"
AuthUserFile /password-directory/.htpasswd-wplogin
AuthGroupFile /dev/null
Require user administrator
<FilesMatch "^(admin-ajax|misc|profile|users)\.php$">
Order allow,deny
Allow from all
Satisfy any
</FilesMatch>
<LimitExcept GET POST>
Deny from all
</LimitExcept>
I just omitted the <LIMIT> tags from your post, not sure if that was okay though. Strangely enough this gives a password prompt for wp-login.php now… but, if I hit cancel it still loads wp-login.php, albeit without any CSS. If I try to log in through wp-login.php, it comes up with the password prompt a second time, and cancelling here brings up the normal htaccess failure page. If I use the password I do seem to be able to log into and use the admin panel normally, though it feels a bit sketchy that there are quirks happening in between.
Do you have any thoughts on how to fix that sort of strange behavior? I’m actually kind of confused why the prompt shows up multiple times (actually, I’m kind of surprised it even shows up for the wp-login.php page, I kind of figured it would only show for the wp-admin directories). I was mainly trying to protect the wp-login.php since it seems like that’s what WordPress recommends (I think for preventing brute-force attacks), but I guess at this point I’ll take anything that works in protecting the control panel. Any help in figuring this out is greatly apprecaited, thanks again!