Managed to figure it out and want to share it with others in case they’re having the same issue.
When protecting wp-admin
, protect it using wp-admin/.htaccess
file, but that only works for the wp-admin
directory, and won’t affect the wp-login.php
file which is outside that directory.
Add protection to the wp-login.php
file using the <files></files>
directive in the root .htaccess file.
After doing that and reloading the page, failing to authenticate will no longer show the login page or anything related to wp-login.php.
Hope this helps someone out there. Please let me know if it does.