Updated: June 10, 2020
When it rains, it pours. A few weeks ago, I wrote an article on WordPress cURL error 28 issue that I spotted on my books-only website, and which seems to be caused by having an htaccess file in the wp-admin directory. This wasn't a problem until the WordPress 5.4 update, but now it seems it is. Well, since I know what the source is, I can ignore it.
A side effect to keeping the htaccess in place is that there will be a prompt to authenticate on EVERY page on the website - the kind of prompt you would expect only when trying to access the restricted page(s) - and this phenomenon seems to be limited to Firefox. Thinking myself a special snowflake, I went about a-readin' and a-testin', and found a support topic on the WordPress site, where someone discussed a very similar if not identical phenomenon. So I decided to some more investigating, and figure out what gives.
The problem in more detail
Well, there's not much to say. Ordinary people who browse the site in Firefox will see an authentication window prompt that has nothing to do with them. This is annoying, distracting - and unnecessary. So we need a way to fix this, without actually removing the .htaccess file. That's always an option, but contradictory to the whole purpose of having one in the first place.
Solution (or rather, workaround again)
Witchcraft isn't my forte. but witchcraft is what is necessary here. I spent a while reading, trying to figure out why WordPress would be throwing authentication prompts when not needed. One thing caught my eye, and that's WordPress 5.4 read this first master list. There, I looked for anything related to .htaccess files, and found the following mention:
Resave your Permalink settings. In a few cases, we've seen third-party installers, such as Softaculous, creating sites with slightly incorrect rules in the .htaccess file. While these rules would not have been a problem in previous versions, having these incorrect rules can break the REST API in newer versions. Resaving the permalinks on the Settings | Permalinks page in WordPress will fix these rules in the .htaccess file, and possibly fix "failed" errors in the new editor.
Emphasis on the new editor - which I'm not using actually. This also looks related to our cURL error 28 snag we explored previously. So I decided to see whether this makes any difference. I compared my "old" and the newly created .htaccess files, specifically the parts auto-generated by WordPress. There were some tiny changes.
Well, it did fix the .htaccess prompt issue - but the cURL error 28 remains in place as long as the .htaccess file is used. All of this leads me to believe that there's something quite buggy in WordPress 5.4, and again, something that seems to trigger different behavior in Firefox.
Alternative solution: favicon
One of my readers contacted me about my previous article. Over a course of a few correspondences, I highlighted the fact the issue only occurs in Firefox, which led the reader to conduct some additional testing of their own, and they found out that the problem is most likely caused by a missing site icon (favicon). When there's none, a default is loaded, from inside the admin directory, which then triggers the authentication prompt in Firefox. You may want to try this and see if this works for you.
Conclusion
I am truly, deeply not happy having to write this kind of articles, because I'm only half-helping you. I am exposing problems, weird ones at that, and providing workarounds, but I don't feel at ease, because we're still dealing with buggy underlying code. Somehow managing to miraculously make the "bad error" go away does not inspire confidence. It boils down to how WordPress 5.4 works, and there's something fundamentally different in how it handles authentication.
Furthermore, I don't have anything smart to say why this only manifests in Firefox. I will continue playing some more, but at the moment, the best I can give you is the workaround above, plus the information I've shared in the previous article. Peace, fellas. And if you have any thoughts, please share them.
Cheers.