Returning 404 code for unauthorized attempts

Well, close:

<Location /admin>
     Order deny,allow
     Allow from 10.0.0.1
     Allow from 192.168.1.1
     Deny from all
</Location>

Though what this actually does is return a 403 Forbidden, not a 404 Not Found, which is, y'know, correct.

If you're putting this in a .htaccess in the admin directory, you don't need the Location container. The example is written for a server or virtual host configuration file.

See also mod_access docs.

For what it's worth, as time has worn on I've increasingly come to find value in putting the site admin on an entirely separate virtual host.


You can use mod_rewrite to do that.

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !=10.0.0.1 [OR]
RewriteCond %{REMOTE_ADDR} !=10.0.0.1
RewriteRule ^admin($|/) - [L,R=404]

Note that the R=404 flag requires at least Apache 2.1.1.