Please stop password protecting your /wp-admin folder because it breaks public AJAX for WordPress.
There are many helpful articles like this one that explain how to add “another level of security” to your website by password protecting access to the /wp-admin folder.
The trouble with doing this is that you break ALL ajax in WordPress for non-logged in users.
This page in the WordPress codex explains how plugin developers should implement ajax. Specifically:
Note 2: Both front-end and back-end Ajax requests use admin-ajax.php
Remember, admin-ajax.php lives in /wp-admin/admin-ajax.php.
So by password protecting that directory you’re blocking access to that script which means that all publicly accessible AJAX functionality for WordPress breaks.
Every week I get an email or two from someone who has password protected this directory and wonders why a specific function in our plugin (that relies on a public ajax handler) doesn’t work and I have to explain the above.