For Apache servers, it only takes a few lines in .htaccess to do what you’re asking. I’m sure nginx has counterpart directives if you’re on that server. These directives kick in before ClassicPress is loaded.
# A message for those denied access.
ErrorDocument 401 "Denied"
# To password-protect the login/admin.
<Files wp-login.php>
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/path/to/your/.htpasswd"
require valid-user
</Files>
# To prevent access to xmlrpc.php.
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
One and done. If you don’t get past the server’s user/pass prompt, ClassicPress isn’t even loaded. If you do pass the prompt, then you get the normal login page where you can then login as usual.