Thanks for contributing this Rafael =)
…thought I’d note that perhaps
# Protect wp-login.php from Brute Force Login Attacks based on IP Address SetEnvIF X-FORWARDED-FOR "xxx.xxx.xxx.xxx" AllowIP order deny,allow deny from all Allow from env=AllowIP
should be
# Protect wp-login.php from Brute Force Login Attacks based on IP Address SetEnvIF X-FORWARDED-FOR "xxx.xxx.xxx.xxx" AllowIP order allow,deny deny from all Allow from env=AllowIP
because
You would want to use Order Allow,Deny and NOT Order Deny,Allow
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#orderAllow,Deny
First, all Allow directives are evaluated. At least one must match, or the request is rejected.
Next, all Deny directives are evaluated. If any matches, the request is rejected.
Last, any requests which do not match an Allow or a Deny directive are denied by default.Deny,Allow
First, all Deny directives are evaluated. If any match, the request is denied unless
it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
( from this forum and https://wordpress.org/support/topic/whitelisting-ips-leads-to-403-errors-on-logout )
Cheers, Max