One of the problems is that the WordPress Ajax handler script is located in the admin directory. So password-protecting the admin area will break all Ajax functionality your blog might be using.

First, see this tutorial on how to password protect directories with an .htaccess file. Sivel has an example for whitelisting the Ajax handler, add these line to your .htaccess file:

# These are the lines that do the password protection.
# You probably already created them while reading through the tutorial linked above.
AuthUserFile /path/to/your/htpasswd
AuthType basic
AuthName "Restricted Resource"
require valid-user
 
# This is the whitelisting of the ajax handler
<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any 
</Files>

Please notice that you absolutely need to create the htpasswd file, see the linked tutorial above.

Here’s the necessary configuration to whitelist a file in a password protected location in lighttpd:

$HTTP["url"] =~ "^\/wp-admin\/.*" {
    $HTTP["url"] !~ "^\/wp-admin\/admin-ajax\.php" {
        auth.require = (
            "" => (
                "method" => "basic",
                "realm" => "Password protected area",
                "require" => "user=theuser",
            ),
        ),
    },
},

Another problem can happen when you use cookies. If not done correctly, your user’s cookie won’t be available to the website when they were stored under www.domain.com and he uses domain.com the next time he visits. See the cookie specs for more details.

A quick research led me to a solution for apache that I didn’t like too much. It involves using mod_rewrite. mod_rewrite is a great tool, but there’s a better solution for redirecting to your main domain from subdomains or second level domains. Simply use a catchall virtual host in your apache host configuration file(s) to do the redirects. This will solve all the SEO, caching and cookie issues, and it will save some CPU cycles compared to the mod_rewrite or higher level solutions.

# NameVirtualHost *:80
 
<VirtualHost *:80>
    ServerName www.domain.com
    # This is your main domain
</VirtualHost>
 
<VirtualHost *:80>
    ServerName domain.com
    ServerAlias *.domain.com
    # This is to make sure that foo.domain.com gets redirected too
    # If you want to use more virtual hosts on subdomains,
    # just define them earlier
    Redirect / http://www.domain.com/
</VirtualHost>

Please refer to the mod alias docs to decide which Redirect you need, this example uses a 302.

For lighttpd you can use this:

$HTTP["host"] =~ "domain\.com" {
    $HTTP["host"] != "www.domain.com" {
        url.redirect = (
            "^(.*)$" => "http://www.domain.com$1",
        )
    }
}

By the way, if you’re an IIS user, you might want to read this.