I wonder why test.html is Forbidden (as expected) but wp-login.php is available. I tried both FilesMatch and Files. They have similar "chown" and "chmod". I've read official Apache 2.4 docs. I googled a lot. I can not understand what's wrong in this correct config, and why wp-login.php is always available. How could it be denied for access?!
<Directory /home/user/html>
Require all granted
Options -Indexes
<FilesMatch "^wp(.*)$">
<IfModule mod_authz_core.c>
Require all denied
Require ip 10.145.13
</IfModule>
</FilesMatch>
<FilesMatch "^test(.*)$">
<IfModule mod_authz_core.c>
Require all denied
Require ip 10.145.13
</IfModule>
</FilesMatch>
</Directory>
EDIT
Thank you Philip, I also thought about something like this - includes and so on...
When you browse to /wp-login Apache is not loading wplogin first.
Not sure, because there's no such a directory /wp-login , there's just a file wp-login.php and I open it directly - http://...my..blog/wp-login.php
By the way, I remembered just now - it worked like a charm when I used Apache 2.2. Now I have 2.4, but the Wordpress remains the same. As we know, 2.4 has different syntax. So, I adopted new config to serve in the same way as my old 2.2 config. But...
That's strange.
And I found an article https://www.saotn.org/wordpress-htaccess-security-best-practices-apache-24/ Though, I configured everything in the same way before. Just to confirm that my settings are correct.
So, I'm not sure what to do.
UPD: found this https://stackoverflow.com/questions/32487034/apache-2-4-restricting-access-to-wp-login-php-by-ip-not-working