diff --git a/wagtail/wagtailadmin/urls.py b/wagtail/wagtailadmin/urls.py
index a8d4cd892..619533119 100644
--- a/wagtail/wagtailadmin/urls.py
+++ b/wagtail/wagtailadmin/urls.py
@@ -8,34 +8,6 @@ from wagtail.utils.urlpatterns import decorate_urlpatterns
 
 
 urlpatterns = [
-    # Password reset
-    url(
-        r'^password_reset/$', 'django.contrib.auth.views.password_reset', {
-            'template_name': 'wagtailadmin/account/password_reset/form.html',
-            'email_template_name': 'wagtailadmin/account/password_reset/email.txt',
-            'subject_template_name': 'wagtailadmin/account/password_reset/email_subject.txt',
-            'password_reset_form': PasswordResetForm,
-        }, name='password_reset'
-    ),
-    url(
-        r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done', {
-            'template_name': 'wagtailadmin/account/password_reset/done.html'
-        }, name='password_reset_done'
-    ),
-    url(
-        r'^password_reset/confirm/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
-        'django.contrib.auth.views.password_reset_confirm',
-        {'template_name': 'wagtailadmin/account/password_reset/confirm.html'},
-        name='password_reset_confirm',
-    ),
-    url(
-        r'^password_reset/complete/$', 'django.contrib.auth.views.password_reset_complete',
-        {'template_name': 'wagtailadmin/account/password_reset/complete.html'},
-        name='password_reset_complete'
-    ),
-]
-
-urlpatterns += [
     url(r'^$', home.home, name='wagtailadmin_home'),
 
     url(r'^failwhale/$', home.error_test, name='wagtailadmin_error_test'),
@@ -85,14 +57,10 @@ urlpatterns += [
 
     url(r'^tag-autocomplete/$', tags.autocomplete, name='wagtailadmin_tag_autocomplete'),
 
-    url(r'^login/$', account.login, name='wagtailadmin_login'),
     url(r'^account/$', account.account, name='wagtailadmin_account'),
     url(r'^account/change_password/$', account.change_password, name='wagtailadmin_account_change_password'),
     url(r'^account/notification_preferences/$', account.notification_preferences, name='wagtailadmin_account_notification_preferences'),
     url(r'^logout/$', account.logout, name='wagtailadmin_logout'),
-
-    url(r'^userbar/(\d+)/$', userbar.for_frontend, name='wagtailadmin_userbar_frontend'),
-    url(r'^userbar/moderation/(\d+)/$', userbar.for_moderation, name='wagtailadmin_userbar_moderation'),
 ]
 
 
@@ -103,9 +71,47 @@ for fn in hooks.get_hooks('register_admin_urls'):
         urlpatterns += urls
 
 
+# Add "wagtailadmin.access_admin" permission check
 urlpatterns = decorate_urlpatterns(urlpatterns,
     permission_required(
         'wagtailadmin.access_admin',
         login_url='wagtailadmin_login'
     )
 )
+
+
+# These url patterns do not require an authenticated admin user
+urlpatterns += [
+    url(r'^login/$', account.login, name='wagtailadmin_login'),
+
+    # These two URLs have the "permission_required" decorator applied directly
+    # as they need to fail with a 403 error rather than redirect to the login page
+    url(r'^userbar/(\d+)/$', userbar.for_frontend, name='wagtailadmin_userbar_frontend'),
+    url(r'^userbar/moderation/(\d+)/$', userbar.for_moderation, name='wagtailadmin_userbar_moderation'),
+
+    # Password reset
+    url(
+        r'^password_reset/$', 'django.contrib.auth.views.password_reset', {
+            'template_name': 'wagtailadmin/account/password_reset/form.html',
+            'email_template_name': 'wagtailadmin/account/password_reset/email.txt',
+            'subject_template_name': 'wagtailadmin/account/password_reset/email_subject.txt',
+            'password_reset_form': PasswordResetForm,
+        }, name='password_reset'
+    ),
+    url(
+        r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done', {
+            'template_name': 'wagtailadmin/account/password_reset/done.html'
+        }, name='password_reset_done'
+    ),
+    url(
+        r'^password_reset/confirm/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
+        'django.contrib.auth.views.password_reset_confirm',
+        {'template_name': 'wagtailadmin/account/password_reset/confirm.html'},
+        name='password_reset_confirm',
+    ),
+    url(
+        r'^password_reset/complete/$', 'django.contrib.auth.views.password_reset_complete',
+        {'template_name': 'wagtailadmin/account/password_reset/complete.html'},
+        name='password_reset_complete'
+    ),
+]
diff --git a/wagtail/wagtailadmin/views/userbar.py b/wagtail/wagtailadmin/views/userbar.py
index 6267f3ab2..c41b5aed1 100644
--- a/wagtail/wagtailadmin/views/userbar.py
+++ b/wagtail/wagtailadmin/views/userbar.py
@@ -1,10 +1,12 @@
 from django.shortcuts import render
+from django.contrib.auth.decorators import permission_required
 
 from wagtail.wagtailadmin.userbar import EditPageItem, AddPageItem, ApproveModerationEditPageItem, RejectModerationEditPageItem
 from wagtail.wagtailcore import hooks
 from wagtail.wagtailcore.models import Page, PageRevision
 
 
+@permission_required('wagtailadmin.access_admin', raise_exception=True)
 def for_frontend(request, page_id):
     items = [
         EditPageItem(Page.objects.get(id=page_id)),
@@ -26,6 +28,7 @@ def for_frontend(request, page_id):
     })
 
 
+@permission_required('wagtailadmin.access_admin', raise_exception=True)
 def for_moderation(request, revision_id):
     items = [
         EditPageItem(PageRevision.objects.get(id=revision_id).page),