RewriteCond is not considered in default WordPress htaccess

Solution:1

Found the issue!!!

In general, Apache does the rewrite phase before the authorization phase, which is why your code performs the rewrite without ever asking for user to authenticate. https://stackoverflow.com/a/13295036/7664726

I had to add it to the .htaccess in the website root:

RewriteCond %{LA-U:REMOTE_USER} !^$

So my final .htaccess is this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{LA-U:REMOTE_USER} !^$
RewriteRule . /index.php [L]
</IfModule>

Thanks to add peoples in comment section helping me solve this issue.

Solution:2

Instead of modifying the root .htaccess file, it may be preferable to simply disable the rewrite engine in the /stats/.htaccess file. Since mod_rewrite is not inherited (by default) this should prevent the WordPress front-controller in the root .htaccess file being processed.

For example, in /stats/.htaccess:

RewriteEngine Off

AuthType Basic
: etc.