it create a never-ending loop as WordPress tries to find the 403.php page
Not WordPress, but Apache. WordPress never even sees the request.
You need to make an exception for your custom 403 error document, otherwise, the directives you have posted would issue another 403 for the error document itself… an endless loop.
If your ErrorDocument
is defined like so:
ErrorDocument 403 /403.php
Then you can either create an exception before your existing rules like this:
RewriteRule ^403\.php$ - [L]
Which effectively instructs mod_rewrite/Apache to do nothing when the /403.php
document is requested.
Or, incorporate this into your existing rule block. For example:
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^111\.111\.22\.33$
RewriteRule !^403\.php$ - [R=403,L]
The !
prefix on the RewriteRule
pattern negates the regex. So, this rule block will only be processed if the /403.php
document is not requested. Note that [R=403,L]
is the same as [F]
.
Or, you can simply disable your custom error document instead and use Apache’s default error response:
ErrorDocument 403 default