You should define which resources you want to protect. I think you have such choices:
1) Protect whole site
2) Protect only posts (without resources)
3) Protect posts & all resources (but only uploads, not wp-content! otherwise you will break your themes/plugins)
So, as you say you need 3rd way. In such case, you should use htaccess cookie-based redirection:
-
Create
htaccessinwp-content/uploadswhich restricts access to all urls there for users who doesn’t have a cookie “cookie_name” set to value i.e. ‘xyz’:RewriteEngine On
RewriteCond %{HTTP_COOKIE} !cookie_name=xyz; [NC]
RewriteRule ^ https://your_site.com/authorization-page [NC,L] -
Create
authorization-pagewhere should be a form to insert a password (set whatever you want) and if user correctly enters password, then set cookiecookie_nametoxyz.
p.s. just replace xyz and cookie_name with very random characters.