Aha! That's another matter altogether. What you are seeing there is "battling" .htaccess files.
.htaccess files impact the directory they are in and all directories beneath them in the directory tree. This results in the .htaccess file for WordPress (living, for example, at /home/user/domain.tld) impacting the directory where you have awstats (living, for example, at /home/user/domain.tld/awstats), or any other directory below the "base" of your WordPress install.
This .htaccess file (for WordPress) includes Apache mod_rewrite rules that return the 404 page of the WordPress blog for any request that is not part of the WordPRess "structure" (and WordPress knows nothing about your awstats directory), hence, they intercept the request for yourdomain.com/awstats and return the WordPress related 404 page.
The fix is really easy, and is well documented in the DH Wiki article on making stats available with .htaccess; you just use the concepts/examples there to make the appropriate entries to the WordPress .htaccess file (the one located in the "base" directory of your WordPRess install) to enable the request for your awstats directory to be processed.
Your changes will be slightly different from those detailed in the wiki article, as the example uses the default /home/user/domain.tld/stats directory where DH places analog, but it is trivial to modify that example code to do the same thing for your awstats directory (or any other, for that matter).
There is also lots of discussion/help in these forums on that topic (just search).
Once you have made the appropriate changes to your WordPress .htaccess file, to modify the re-write rules so your awstats directory will be served when requested, your awstats .htaccess file that sets up password protection will come into play, and you will be presented with the authentication dialog when you browse to it.