There are many helpful articles like this one that explain how to add “another level of security” to your website by password protecting access to the /wp-admin folder.
The trouble with doing this is that you break ALL ajax in WordPress for non-logged in users.
This page in the WordPress codex explains how plugin developers should implement ajax. Specifically:
Note 2: Both front-end and back-end Ajax requests use admin-ajax.php
Remember, admin-ajax.php lives in /wp-admin/admin-ajax.php.
So by password protecting that directory you’re blocking access to that script which means that all publicly accessible AJAX functionality for WordPress breaks.
Every week I get an email or two from someone who has password protected this directory and wonders why a specific function in our plugin (that relies on a public ajax handler) doesn’t work and I have to explain the above.
Curated reading for bright minds