Apache FilesMatch (global config) priority over local .htaccess

Question

I want to protect all Wordpress admin interfaces (wp-login.php/wp-admin) in my server. To do this, I want to create a global config in Apache, asking for a fixed user/password (HTTP basic authentication), before reach the real WordPress login page. This will avoid overload PHP from password scan bots.

<FilesMatch "wp-login.php"> AuthUserFile /etc/wordpress.passwd AuthName "TYPE USER wp AND PASSWORD wp" AuthType Basic require valid-user </FilesMatch> 

Works, any file named wp-login.php will ask for the password.

But when I run in a Wordpress site, its .htaccess has some kind of "priority" over the global config. When I access wp-login.php I just receive a 404 error. If I remove/rename .htaccess, FilesMatch works, but I lost the "path mask" feature, that is necessary.

Wordpress .htaccess is:

RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] 

I'm looking for a way to FilesMatch directive has priority over the .htaccess (Rewrite module): ask for the password, not rewrite the URL (giving 404).

Any ideas?

Answer 1

Solved

Wordpress .htaccess rewrites everything, including the ErrorDocument directives, that are used by HTTP Basic Authentication, 401 and 403 return codes. I had personalized SHTML files for ErrorDocument (default in cPanel servers). So, instead of ask for a password, it rewrites the HTTP headers, asking for the password and showing a 404 error page at same time, letting the web browser crazy.

To fix, I just forced the default ErrorDocument messages:

ErrorDocument 401 default ErrorDocument 403 default