htaccess – How have I misconfigured basic auth for my wordpress site?

I’ve installed WordPress on a bare Ubuntu20-04 box following Digital Ocean’s guide.
Now I want to password protect the entire site but as I can’t find any plugins that protect uploaded files and images, I’m attempting to use basic auth.

So I’ve created a .htpasswd file

-rw-r--r-- 1 root root 132 Jan 12 00:07 /etc/wordpress/.htpasswd

I’ve edited /var/www/mysite.com/.htaccess (substituting a real domain for mysite)
to read:

# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - (E=HTTP_AUTHORIZATION:%{HTTP:Authorization})
RewriteBase /
RewriteRule ^index.php$ - (L)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php (L)
</IfModule>

# END WordPress
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/wordpress/.htpasswd
require valid-user

But the site still loads happily without my desired ugly login prompts.
…what am I doing wrong?

Alternative solutions to basic auth are welcome but I thought that appeared to be the simplest route to protecting uploaded content. (it’s for hosting info about an apartment block for the block’s inmates and some things eg meeting minutes are semi-confidential – if people have to log in once per session to access the site I don’t mind)