Take the case where you have a WordPress multi-site with many domains pointing to a single virtual host. When the site gets hit with a wp-login.php attack you want to password protect the wp-login.php script but just for the targeted site … not for every site in the multisite. Here’s the .htaccess rules to accomplish this:
SetEnvIfNoCase Host "acme.com" requireauth=1
SetEnvIfNoCase Host "widgets.com" requireauth=1
<Files ~ "^wp-login.php">
AuthName "******** ATTENTION - To login please enter username 'admin' and password 'letmein' ********"
Deny from all
Allow from env=!requireauth
We set an environment variable based on the Host header and then require login from requests with the matching environment variable.