With the following configuration: Apache <VirtualHost *:80>... <Files wp-login.php> Order Deny,Allow Deny from all </Files> </VirtualHost> The following file is not accessible: http://127.0.0.1/wp-login.php As a forbidden error message by Apache is returned. If a user or attacker accesses the following URL, the access controls by Apache are completely ignored: http://127.0.0.1/fcgi-php-fpm/wp-logi