Support » Plugin: BulletProof Security » WP-Admin .htaccess & deny, allow recently started causing redirect loop

  • Resolved Keith Aldrich



    Recently I started having trouble accessing the wp-admin area of my site. I keep getting a redirect loop. I tracked this down to my wp-admin/.htaccess and the following code.

    I’ve been using this code successfully for over a year now to keep brute force attacks out. It wasn’t until the last week that I started getting the redirect loop.

    Any help would be appreciated.

    # BEGIN CUSTOM CODE WPADMIN TOP: Add miscellaneous custom code here
    # Only allow login from these IP addresses
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Password Protected Area"
    AuthType Basic
    order deny,allow
    deny from all
    # whitelist home IP address
    allow from [IP DELETED for obvious reasons]
    # whitelist work IP address
    allow from [IP DELETED for obvious reasons]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author AITpro


    The most likely thing that has changed is one or more of your IP addresses. You will find your IP addresses on the BPS System Info page. If you are unable to access your WP Dashboard then temporarily rename your wp-admin .htaccess file so you can login to the site to get the current IP addresses.

    Plugin Author AITpro


    I don’t believe this new root .htaccess rule would be causing the problem, but for troubleshooting purposes comment it out in your root .htaccess file by adding a # sign in front of the code.

    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    #RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

    Check that this line of code below is not commented out with a # sign in your root .htaccess file.

    ErrorDocument 401 default


    Thanks for the response.

    I have static IPs at both locations and have double checked. Neither have changed.

    I tried commenting that line out, then including the IP filtering in wp-admin, still having the same issue.

    Okay, I have another site on the same hosting account that has old WP and BPS (hasn’t been updated in a while) and I’m having the same issue with it.

    I’m wondering if my host made a change on their end that is causing the issue.

    Thanks for your help!

    Plugin Author AITpro


    Yep, sounds like your Host has changed something on the Server so check with them. Since last April I have seen all sorts of variations of Brute Force Login protection added to Host Servers on web hosts all over the World. So logically maybe they have implemented something new to combat Brute Force Login attacks on the Server itself that causes your wp-admin IP code to no longer work. They may have also changed dev/null to something else or changed something else about Directory Password protection on the Server/Control Panel.

    Again, thank you for your help.

    Protection against brute force attacks is a very valid point. My host has, in the past, has blocked all access to wp-login.php so it wouldn’t surprise me if they have put in some other protection.

    I’ve fired off an email to my host to see what is up. If they say nothing has changed I will continue to try and trouble shoot and post here if I gain any other insight.

    BTW, this is pretty good service considering I’m a freeloader who doesn’t pay for PRO! Thank you!

    Plugin Author AITpro


    Resolving. Host specific issue. We still recieve email notifications when Threads are resolved so feel free to post any additional info.

    I contacted Midphase support. Here is what they had to say about the issue:

    Thank you for contacting Midphase. I apologize for the delay in response. I’m sorry to hear that you are currently getting a redirect loop when accessing your wp-admin. I would be happy to make it my priority to assist you in resolving this and getting your page to load without a redirect loop.

    Is there a reason that you have two copies of the .htaccess file for your site rather than one? This is what appears to be causing the redirect loop. Renaming (and therefore disabling) the .htaccess file in your wp-admin will get rid of the re-direct loop. Renaming the .htaccess file in your public_html will also get rid of the loop, but won’t allow us access to the wp-admin due to the rules set in the .htaccess file in your /wp-admin directory.

    I’d like to note that having two .htaccess files is not what is causing the issue. Commenting out the deny, allow code will stop the redirect loop from reoccuring but opens my wp-admin up.

    Plugin Author AITpro


    Oh well. File their response in the trash bin under useless/clueless where it belongs. None of this information has any value and of course it is completely wrong.

    Try this to find out what works, what does not work and what has changed on your Server/Host. Go into your Control panel and recreate your Directory Password Protection. Usually when you do this on a Host the Host will add an .htaccess file automatically to the directory you are password protecting. Copy the .htaccess code and save it on your computer. Then create a new .htaccess file with BPS and add the .htaccess code that your Host created into the BPS .htaccess file.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘WP-Admin .htaccess & deny, allow recently started causing redirect loop’ is closed to new replies.