So I have found that the regular Directory Protection feature in CPanel does not work straight out of the box with WordPress installs. In the below code after you setup a protection through CPanel you can take the provided data and customize it to match what is below. In this example the directory path is being password protected. The first requirement is saying that a valid-user is being required, setting permission order of deny first with a deny from all. Then checking to see if the IP address matches the one provided so you can set an IP that doesn't have to enter in a password. Then the Satisfy Any says if someone enters in a password or is from that IP address then allow them in. Also sets an ErrorDocument 401 default so that if someone doesn't log in correctly it shows the default error as occasionally I find that it shows an incomplete page from the site.
AuthName "Username and password required"
<Limit GET POST>
Deny from all
Allow from xxx.xxx.xxx.xxx
ErrorDocument 401 default