This really should be standard. Password protection plugins are unreliable, even with exceptions for their cookies. Then the htaccess method of password protection has proven to be a major hassle, and in my case, continues to give me internal server errors. My workaround was to create staging applications for any dev sites and completely disable the main application. However, this should be totally unnecessary. Given we sometimes have to develop a site on the default Cloudways URL because the live site is elsewhere, this password protection thing should really be a basic feature.