mod_rewrite and HTTP Basic auth

I’ve got WordPress installed in the root directory of my web server, and it puts the following rewrite rules into the root .htaccess:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>

In the subdirectory forum is another PHP application that needs to be protected by HTTP Basic auth. As you would expect there is a .htaccess file in the forum directory which looks like this:

AuthType Basic
AuthName MembersArea
AuthUserFile /home/user/public_html/needsecure/.cnk-htpasswd_db/.1_htpasswd
require valid-user

Now the RewriteCond statements in the root .htaccess file should, as far as I can tell, ensure that if a user visits a subdirectory directly then no rewriting should occur. Same for a physical file, and for files named index.php. Yet when visiting /forum, /forum/ or even /forum/index.php the WordPress 404 page shows.

I tried excluding the forum directory from the rewrite rules altogether with

    RewriteCond %{REQUEST_URI} ^forum/

before the final rewrite rule, which didn’t work. I also tried

    RewriteRule ^forum(.*)$ - [L]

above all the other rules, and that too didn’t work. I even tried RewriteEngine Off in forum/.htaccess and that didn’t work.

If I remove the WordPress rewrite rules it fixes the problem, and if I remove the basic auth rules it fixes the problem. It’s only when both are present that it goes wrong: It’s as if the basic auth completely breaks the rewrite conditions. Is this a known thing?

Any suggestions? This is getting on my nerves now, I’ve been messing with it all night.