What is the best method to close off the backend?

The goal: Completely remove the ability to access the WordPress backend on the production domain. Ex. return a 404 for http://example.com/wp-admin

Purpose: I don’t want any possibility of WordPress’ backend being accessed across the Internet. Instead, it will only be accessibly via VPN on an internal domain (i.e. http://example.internal/wp-admin. This ensures that no one could ever brute force attack the login page.

I could restrict logins to a given IP address, but I don’t want to keep up with a list of IPs. I’d prefer to use the security my VPN already offers.

Consider that wp-admin still has to be accessible in some fashion because there could be resources that the frontend calls.

Are there any solutions beyond redirecting wp-login.php somewhere else?

Solutions Collecting From Web of "What is the best method to close off the backend?"

If you know the sub-net of your VPN you could restrict access to /wp-admin via .htaccess using standard Apache rules.

<Directory /var/www/wp-admin/>
  Order deny,allow
  Allow from
  Allow from 127

Obviously you’d need to adjust the directory and IP address subnet to suit your needs.

To restrict access to a specific file:

<Files _FILE_.php>
    Order allow,deny
    Deny from all
    Allow from

Again you can use a sub-net mask to suit your VPN.