blocking access to all post/tag URIs via htaccess

RewriteCond %{REQUEST_URI} ^post/tag/
RewriteRule .* - [F]

The REQUEST_URI server var does start with a slash (it is a full root-relative URL-path), although you do say you have tried this “with and without the leading slash”, so this should have worked if that is what you are referring to and /post is the first path-segment in the URL-path.

However, you don’t need the additional RewriteCond directive here as the URL check can (and should) be performed in the RewriteRule directive instead. For example:

RewriteRule ^post/tag/ - [F]

In this case, there is no slash prefix on the RewriteRule pattern.


If that is still failing then try matching against THE_REQUEST instead, which contains the first line of the request headers and is not modified by other rewrites (unlike REQUEST_URI and the URL-path matched by the RewriteRule directive).

For example:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,7}\s/post/tag/
RewriteRule ^ - [F]

THE_REQUEST would contain a string of the form:

GET /post/tag/example-here HTTP/1.1

Still not working… then make sure you don’t have a custom 403 ErrorDocument that is routing the request through WordPress. If you have not defined anything yourself, then this could still be defined in the server config (by your host), which you can reset to the Apache default with the following in .htaccess:

ErrorDocument 403 default