You’re mixing apples and oranges: controlling access versus security. What I mean is this: the WordPress Access Control plugin serves the purpose of letting you, as the site administrator, define how and which pages / posts are shown to certain members, i.e. it lets you set the access to the front-end of your site. So, that plugin doesn’t deal with access to (visibility of) the back-end of your site, i.e. anything that’s under the /wp-admin/ directory of your site. And because it’s a WP plugin, it deals with user access within the scope (direct control) of WordPress
On the other hand, applying .htaccess typically is done to control access to parts of your website (e.g. the wp-admin parts) as essentially a security issue. The key here is that .htaccess is not specific to WordPress or even PHP (the internal code “language” spoken by WordPress) but applies generally to anyone accessing the website: it works at the server level, i.e. (much) higher than WordPress. Therefor, if you set access rules via a .htaccess file (by requiring certain valid users and passwords) it is separate from WordPress users. In plain English: you’ll have users (and passwords) defined as “members” within WordPress, and separately from them, users (and passwords) at the .htaccess (server) level to access certain directories. Now, the thing with using .htaccess to password protect the /wp-admin/ folder (directory) is that anyone accessing that directory will be required to enter a valid .htaccess user/password combo. So for example, when a WP “member” user tries to access (to edit) his/her profile – usually via the /wp-admin/profile.php page – that user will have to enter basically two sets of credentials: one to login as a WP user, and another to access the wp-admin back-end.
This is why admins of membership sites have an extra complication when they want to harden their WP installation: they have to either fiddle with code to offer e.g. profile pages outside the back-end (e.g. via a specific page on the front-end) or accept the double credentialing issue, which few “normal” members will understand (and less so like, because it’s user unfriendly)
To successfully (and in a user-friendly manner) combine the two methods (not a bad idea) you’ll have to either make sure that your users (members) understand that they need two sets of access credentials to change their password, or offer a page outside the wp-admin area where they can change their password.
That’s why using a membership type plugin together with .htaccess restriction is hardly recommended, except for advanced admins / coders.
Now, your problem seems to be fairly limited, as you’re just interested in allowing your member users to change their password. That might be solved by resorting to another plugin; instead of the WordPress Access Control I suggest using the functionally somewhat similar but much more powerful WP Members plugin, which is also free. The reason I recommend that other plugin is that you can use shortcodes on “special” pages (access protected by the plugin, i.e. restricting it to certain members only) to let them change their profile information (or just the password).
Good luck!
