htaccess File Basic Auth applying to other pages

Question

I have the following in my root htaccess, running Apache 2.4.46

Order Allow,Deny
Allow from all

Deny from 1.2.3.4  # block hackers
RewriteCond %{QUERY_STRING} (^|&)id\=549($|&)
RewriteRule ^index3211\.html$ /donate/? [L,R=301]

<Files wp-login.php>
    AuthName Limited!
    AuthType Basic
    AuthUserFile "/home/example/www/www/wp-admin/.htpasswd"
    Require valid-user
</Files>
...
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]
</IfModule>
<Files ".user.ini">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Files>

But I am getting prompted for the password in some of the normal WP pages (on friendly URLs to index.php that have no reference to wp-login).

The page loads and the password prompt only appears at the end. I can't find any reference to wp-login.php in the Javascript source, HTML or Network tab requests (and there are no redirects).

Any tips on diagnosis?

Update: We have tracked it down to the WPBakery Media Grid element. I can't find the actual connection, so have no idea how/where it is triggering, but can turn the issue on and off with the element.

Answer 1

You may try this code in your .htacess:

<If "%{THE_REQUEST} =~ m#/login\.php[/?\s]#">
    AuthName Limited!
    AuthType Basic
    AuthUserFile "/home/example/www/www/wp-admin/.htpasswd"
    Require valid-user
</If>

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /

  RewriteRule ^index\.php$ - [L]

  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]
</IfModule>

Make sure to test it from a new browser or after clearing browser cache.