password protect

I have for my php application a virtual location "/backend/" which I like to have password protected. I also using "rewrite" rules at the root context so the requests get routed to my "/index.php". I noticed when I have a root context "/" with rewrite rules the "Realm" protected context...

I'm able to password protect the admin area but there are plugins that still need access to admin-ajax.php. Does anyone know how to make this work? I tried adding /wp-admin/admin-ajax.php as an allowed context, placed before blocking /wp-admin/ with basic auth. This did not work. (but I could...