When using WordPress with candied URLs you are using .htaccess files to do URL rewrites to make the more human and google friendly URL version. It turns out that when you try to access a subdirectory that is password protected it returns the web server responds with a “401 Unauthorized” header and an optional error document, then prompts the user for Authentication details. When rewrite rules are in place, the default error document path used by the web server is evaluated using the rewrite rules. If an actual error document does not exist in the default error document path, this is passed on to the CMS for parsing. In this case, since the file is not found, the CMS gets confused and displays a 404 error rather than a 401, causing the web server to not even prompt for authentication.
The fix is to add the following line to your .htaccess file:
ErrorDocument 401 default
When the code is matched it just does nothing to the URL and exits.