I would like to see some basic protection against brute force attacks on the wp-login.php and xmlrpc.php. At the moment, you will need to add plugins and/or disable access to xmlrpc.php using plugins. I hope to see ClassicPress with a basic protection like a captcha on the login page.
For Apache servers, it only takes a few lines in .htaccess to do what you’re asking. I’m sure nginx has counterpart directives if you’re on that server. These directives kick in before ClassicPress is loaded.
# A message for those denied access.
ErrorDocument 401 "Denied"
# To password-protect the login/admin.
<Files wp-login.php>
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/path/to/your/.htpasswd"
require valid-user
</Files>
# To prevent access to xmlrpc.php.
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
One and done. If you don’t get past the server’s user/pass prompt, ClassicPress isn’t even loaded. If you do pass the prompt, then you get the normal login page where you can then login as usual.
I agree with @anon71687268’s approach. I’m a great believer in implementing as many server-side security measures as is reasonably practicable, thus preventing access to CP completely when necessary. The only caveat is that access to the file system is required, although this is not usually a problem for files such as .htaccess and .htpasswd.
And while plugins such as Wordfence and Shield offer useful extra protection and peace of mind, they should be considered a last line of defence imho.