Here is part of a multisite plugin I wrote that forces a user to log in. It required a user to be registered for the site; not just be a network user. It could be modified to check if user has a higher role. I did modify it to fit the OP requirements.
add_action( 'init', 'registration_check',5);
function registration_check() {
if ( is_user_logged_in() ) { return; }
// if ( current_user_can('read') ) { return; } // orig for multisite
// This is a base array of pages that will be EXCLUDED from being blocked
$exclusions = array(
'wp-login.php',
'wp-register.php',
'wp-cron.php', // Just incase
'wp-trackback.php',
'wp-app.php',
'xmlrpc.php',
);
// If the current script name is in the exclusion list, abort
if ( in_array( basename($_SERVER['PHP_SELF']), $exclusions ) ) {
return;
}
// if ( is_user_logged_in() ) { wp_die('<strong>You are logged in but do not have enough privileges to access this site.</strong>'); } // orig for multisite
// Still here? Okay, then redirect to the login form
auth_redirect();
}