A secure way to protect your site’s admin area is to lock it down with .htaccess.
There are two parts to protecting the WordPress Admin. First, add the following directives to your site’s root .htaccess file:
<Files wp-login.php> AuthUserFile /path/to/.htpasswd AuthName “Restricted Area” AuthType Basic Require user username </Files>
This protects the login page, which is outside of the actual admin directory. So next we want to secure the /wp-admin/ directory. Add the following directives to /wp-admin/.htaccess:
<Files *.php> AuthUserFile /path/to/.htpasswd AuthName “Restricted Area” AuthType Basic Require user username </Files>
With both of these codes in place, all requests for the login page or anything in the admin area will require a valid username/password. Note that in order for these directives to work, you need to create a proper .htpasswd file and specify its path in both blocks of code.
Content retrieved from: https://wp-mix.com/protect-wordpress-admin/.
