For Apache servers, it only takes a few lines in
.htaccess to do what you’re asking. I’m sure nginx has counterpart directives if you’re on that server. These directives kick in before ClassicPress is loaded.
# A message for those denied access.
ErrorDocument 401 "Denied"
# To password-protect the login/admin.
AuthName "Secure Area"
# To prevent access to xmlrpc.php.
deny from all
One and done. If you don’t get past the server’s user/pass prompt, ClassicPress isn’t even loaded. If you do pass the prompt, then you get the normal login page where you can then login as usual. This isn’t a guess; I use this very technique on my own site. And here’s how it looks…