The proposed solution has several faults, not the least of which is the suggestion to make the error documents blank -- This is a horrible usability problem in the making. Error documents should describe the error in simple terms, and tell the user what to do!

Password-protection is always difficult to debug, and I don't have a site set up like this, nor time to test it. But I'd recommend doing it like this:

In /.htacess:

RewriteEngine on
# BEGIN WordPress (modified)
# If requested URL-path does not start with "/library/"
RewriteCond %{REQUEST_URI} !^/library/
# and requested URL_path does not resolve to existing file
RewriteCond %{REQUEST_FILENAME} !-f
# and requested URL-path does not resolve to existing directory
RewriteCond %{REQUEST_FILENAME} !-d
# rewrite the request to WordPress
RewriteRule . /index.php [L]
# END WordPress 

Note that I deleted the <IfModule> container and the RewriteBase directive -- Neither are needed. <IfModule> guarantees a 'silent failure' on a server where mod_rewrite is not available, so if you've got mod_rewrite on your server, don't bother wasting CPU time executing <IfModule>. "RewriteBase /" is the default setting, so there is no need to execute that, either.

Then add your password-protection code to example.com/library/.htaccess *and* declare a 401 ErrorDocument in that subdirectory as well:

ErrorDocument 401 /library/error-401.html

This errordocument should contain a message that says something like, "Login required. If you do not have an account, please sign up to get one and then try again. Thank you!" -- Nice tone, tell the user what to do.

The new password-protection and errordocument code placed in /library/.htaccess will only apply to requests for that subdirectory, so interaction with WP shouldn't be a problem.

I'd also recommend adding error documents in /library and corresponding error pages for at least the following error conditions, in addition to 401-Authorization required:

400-Bad request (The server could not understand the request)
403-Forbidden (Access to the requested page is not allowed)
404-Not Found (Page is missing, reason is unknown, page may return later)
410-Gone (Page was intentionally removed, and will not return)
500-Server Error (Server is likely mis-configured, please try again later)

Note that many sites' functional problems and poor search engine ranking problems are caused by incomplete and/or incorrect server configuration -- It pays to be thorough in both configuration and testing!

One more note: While testing, I recommend that you completely flush your browser cache before testing any new changes to your code -- Stale cached server responses can cause a lot of problems and confusion in testing!

Jim

Thank you ever so much for your prompt, exhaustive and most importantly accurate answer!

Your suggestions do indeed solve the problem.

Some findings:

• Apache serves /library and the corresponding authentication prompt even if the new condition: RewriteCond %{REQUEST_URI} !^/library/ is left out. Thus it seems as if it’s the specification and creation of the error-401.html file that does the trick. Or is the condition necessary for some other reason?
  
  
• The custom error page (error-401.html) does not display. I get "Additionally, a 401 Authorization Required error was encountered while trying to use an ErrorDocument to handle the request."

Of-course if I place the error-401.html file in another, not password protected, directory and specify it in /library/.htaccess it displays nicely, but is that necessary?

Thanks in advance!

Best Regards

//ZM

Thanks to both of you. This solved a problem I had a while back, and just encountered again today. So - TWO PROBLEMS SOLVED. ;-)

Apparently here is what happens:

When checking if a destination exists,
* And if an .htaccess doc exists there
* And if it requires authentication
* And IF NO 401 DOC EXISTS

then the authentication cannot proceed,
and we are sent to WordPress's default 403 behaviour.

Simply by declaring and creating a valid 401 document
*not in* the protected directory, *then* the 'protected
directory' behavior works with the Wordpress code.

To summarize what I've done - and believe to be the minimal implementation:

I created 2 files:

/Forms/401.html

AUTHENTICATION REQUIRED
If you have been granted access,
you will have an email with user
and password details.

/protected-dir/.htaccess

ErrorDocument 401 /Forms/401.html
AuthType Basic
AuthName "Paid Member"
AuthUserFile "/home/acct/.htpasswds/public_html/protected-dir/passwd"
require valid-user

Cheers,
Tim

[edited by: jdMorgan at 4:33 pm (utc) on July 5, 2008]
[edit reason] No URLs, please -- See TOS. [/edit]