One of the most useful articles on the WordPress Codex is the one entitled ‘Hardening WordPress‘, full of recommendations on how to beef up the security of your installation. One such is the tip to have a second layer of authentication on top of the WordPress login direction ‘wp-admin’ using .htaccess and BasicAuth.
What it fails to mention that doing this will cause /wp-admin to return a 404 error as soon as the .htaccess file is in place. In trying to work out why this is I read a variety of articles, all full of utterly useless advice (lots of guesses and no solutions), until I found this much more informed article, which properly explained the problem.
So while full credit goes to the author above, I am restating this information here because it took me a lot of links to find that one, and it never hurts to have another site featuring a proper fix.
Cause
This problem is caused by the Rewrite rules in the .htaccess of the WordPress root directory. The rewrite rules look for a valid WP directory or file and redirect to ‘index.php’ if these are not found. This creates a bit of a permissions conflict which results in a 404, because the webserver is looking for either a 401 Unauthorised page, or a 403 Access Forbidden page. If neither of these are specified in the root .htaccess file of the WordPress installation, a 404 not found page appears.
Solution
Modify the root .htaccess file (i.e. not the one in wp-admin) to include these two lines:
ErrorDocument 401 error401.html
ErrorDocument 403 error403.html
You actually need to create the error files specified (or both can point to the same file). The file can be empty – it doesn’t matter. They just need to exist. Once they do you’ll find that going to wp-admin pops up the Basic Auth prompt as desired.
This was a pesky problem to find the solution for, so I hope this helps. Props to the author noted in the link above, and the other blogs he used to articulate a decent solution (isn’t the internet great sometimes?).
3 replies on “WordPress 404 error when using .htaccess in wp-admin”
I edited my .htaccess root file, and the pop-up worked well, but all my post links gives me a 404 error. I think that is a rewrite rule problem 🙁 Thanks
Hi there – sounds like you may have overwritten your rewrite rules in the .htaccess. Mine looks like this:
order allow,deny
deny from all
ErrorDocument 401 /error.html
ErrorDocument 403 /error.html
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
I don’t have overwritten the htaccess, and it’s similar to the one you posted here (I don’t have “Block the include-only files”). But this way, the post links works well, and don’t work the pop up in wp-admin. Thanks for reply!