Kinda annoyed by this looking for some advice. I have a subfolder I dont want to offer access to it. So I set a .htaccess file (444 file permission setting.) with the following code: # SECURE WP-ADMIN 12.345.67.890 <FilesMatch ".*"> Order Deny,Allow Deny from all Allow from 12.345.67.890 </FilesMatch> Essentailly, I change the IP address to myself when I need to access / view that subfolder.. then just set it back to that 123456... when I am done. Well, when I check my logs.. I still see clowns trying to get into that subfolder... as in trying to login. A standard 3 strikes they get kicked out... but that setting as at login attempt security. Now I thought that with a .htaccess file setup as above... they would get 403 Forbidden and not even be able to attempt a login or even see that page? So what am I doing wrong? Or they some how able to still read the contents of .htaccess file, and spoof the IP thats there?