Ok, in order to harden your WordPress installation, the easiest and fastest thing you can do is to add another layer of authentication to wp-admin area.
If your web server is Apache, you can use htaccess files to do this.
First, create the user and password file. Use a Htpasswd generator and make sure to put the path outside the document root of your website.
Now, you need to edit two .htaccess files.
The one in wp-admin/.htaccess (create it if it doesn’t exists) should contain these lines:
#Avoid the too many redirects error
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
# Allow plugin access to admin-ajax.php around password protection
Order allow,deny
Allow from all
Satisfy any
#Basic authentication
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/path/to/.htpasswd"
require valid-user
And in the main .htaccess file from the document root of your website, add these lines after the WordPress rewrite rules:
#Avoid the too many redirects error
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/path/to/.htpasswd"
require valid-user
I’ll update this post with the nGinx configuration, if that’s your case.