Protecting wp-admin folder with HTTP authentication adds an additional protection layer for your server. Password protecting the admin area makes it harder to brute-force access (it’s also possible to password protect only wp-login.php).
For hardening the wp-admin folder, create a .htpasswds file for storing the password of the additional authentication (for creating the file manually, you can use this htpasswds generator for example).
Create a .htaccess file to the wp-admin folder. Note that password protecting the whole wp-admin folder breaks any code that uses ajax on front-end, therefore make sure to allow /wp-admin/admin-ajax.
The content of the .htaccess file:
AuthUserFile /path/to/.htpasswd
AuthType basic
AuthName “Restricted”
require valid-user
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
