Your blogroot .htaccess file should have something similar to:
AuthName "Protected by AskApache"
AuthDigestDomain /wp-admin/ https://www.askapache.com/wp-admin/ https://www.askapache.com/wp-login.php
Require user gravedigger
There is no way to view wp-login.php over remote http(s) unless you login... so there is no way the prompt wouldnt appear (unless you already logged in, logins are cached by all browsers until the browser is closed).
I think the sneakiest problem is all these webhosts don't have errordocuments setup by default... which is truly amazingly bad. Another amazing problem I hear sometimes is that some hosts using various servers that are not always apache are saving money by only updating the server config from a directory-context .htaccess file once an hour, or longer!
Make sure you have setup LOCAL errordocuments (in your blogroot .htaccess)..
ErrorDocument 401 /errordocs/401.html
ErrorDocument 403 /wp-content/403.html
# this just guarantees they will use the right status code, may need.
#Redirect 401 /errordocs/401.html
#Redirect 403 /wp-content/403.html
An example 401 is @askapache.com/show-error-401/, an example 403 is @askapache.com/show-error-403/, actually all 53 errordocuments.