htaccess redirect to https may cause redirect to 401.shtml when using password protection

When using the .htaccess to add password protection to your site in combination with the .htaccess 301 redirect added by Really Simple Security; this could result in a redirect to URL’s such as: https://example.com/401.shtml.

A simple solution that has been reported to work is to add the following line:

ErrorDocument 401 default

To the top of your .htaccess file. So, the end result looks approximately like this (the error document should come before the password lines):

# Error Document
ErrorDocument 401 default
#password protection
AuthType Basic
AuthName "YOUR AUTH NAME"
AuthUserFile "/path/to/file"
require valid-user
# BEGIN Really Simple Security
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%/$1 [R=301,L]
# END Really Simple Security

Then clear cache and cookies. For more details on this issue, see this forum thread:

https://wordpress.org/support/topic/rsssl-htaccess-code-causes-401-shtml-on-http-to-https-redirect-when-using-auth/#post-10033367

Simple and Performant Security.


Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.