The FILES directive was placed as an attempt to protect the blog from Brute Force Dictionary Attacks (which since April 2013 have been increasing across the Web thanks to a new botnet).
The standard advice I have found on Websites is to place a “deny from all” inside the FILES block directive and this works fine.
However, when you try to “white list” any IP address (so that people can log in to their own dashboards) Apache gets stuck in a redirect loop for any DENIED addresses (trying to access the WP-LOGIN.PHP script).
I have found many discussions on technical fora where people into this problem and asked for help but could not find a resolution.
As best I can determine the issue has something to do with how WordPress needs to rewrite URLs.
I run into the same problem on both single installations and multisite installations.
I don’t think the redirect loops are harming anything, except that hundreds or thousands of compromised servers and individual PCs could be attacking a site at any given moment, and the servers might crash from all the concurrent redirect loops.
If anyone knows how to get around this problem, please share.
Otherwise, you have three choices:
1) Live with the BFD attacks, knowing they’ll eventually get in.
2) Live with the redirect loops and hope your shared hosting can take the load
3) Just use “deny from all” and temporarily enable the WP-LOGIN.PHP when you need to get into the dashboard (setting a cookie should allow you to bypass this check for a while)
I have not tried renaming WP-LOGIN.PHP as I don’t know how many scripts would have to be changed.
There is at least on RENAME WP-LOGIN plugin available here on WordPress.Org. I may try that on a couple of sites and see if that helps.
ON EDIT: On some installations I still get the infinite redirects even with just “deny from all” in the FILES section. It may be due to different versions of Apache running on different servers. I don’t know and don’t have time to start logging htaccess executions.
