How to Whitelist admin-ajax.php (Ajax Handler)
Several places recommend to block the WordPress admin area with a password. While this certainly is a good idea, implementing it properly is non-trivial.
One of the problems is that the WordPress Ajax handler script is located in the admin directory. So password-protecting the admin area will break all Ajax functionality your blog might be using on the frontend.
To whitelist the Ajax handler, add these line to your /wp-admin/.htaccess file: