I think, that there are good idea to restrict access to wp-admin folder in .htaccess file by using following lines:
#file location: /wp-admin/.htaccess order deny,allow deny from all allow from 184.108.40.206
Where 220.127.116.11 is my ip address.
But the problem is when some of WordPress plugins using ajax, for example Woocomerce gross plugin.
One of idea is create copy of admin-ajax.php file to admin-ajax-new.php, and create rule for $_GET[‘action’], for example:
$allowed = array('wpmenucart_ajax'); if( !in_array($_REQUEST['action'], $allowed) ) die('0');
And add access only for this file admin-ajax-new.php for all ip addresses.
Or somehow allow access in .htaccess to admin-ajax.php file only when referer is my exam.ple.com domain.
What will be the best security solution in this case?
Read more here: Secure wp-admin module from other users