plugins - Security and .htaccess in WordPress

UPDATE : When I first posted my answer I missed the crux of the question; my answer was about .htaccess security in general and isw listed below the double line (look down if it interests you.) Unfortunately I don have specific experience with securing /wp-admin/ using .htaccess so I'll simply list the two resources I will pursue when and if I need it:

• Hardening WordPress with .htaccess
• AskApache Password Protection, For WordPress

The first one recommends the following (and here is some discussion about it .)

<Files ~ "\.(php)$">
AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any</Files>

The latter has lots of information, especially in the comments, but admittedly providing you a list to read ist the answer you were looking for.

Sorry I couldn have been more helpful on this one.

========================================

Typically WordPress only has the following which handled permalink processing and ist related to security:

# BEGIN WordPress<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]</IfModule>
# END WordPress

Recently I've found the WP htacess Control plugin that manages a lot of .htaccess for you and I rather like it a lot. After tweaking it's settings it added the following options:

# WPhtC: Disable ServerSignature on generated error pages
ServerSignature Off
# WPhtC: Disable directory browsing
Options All -Indexes
# WPhtC: Protect WP-config.php<files wp-config.php>
order allow,deny
deny from all</files>
# WPhtC: Protect .htaccess file<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all</files>

It also added these options which are about performance instead of security:

# WPhtC: Setting mod_gzip<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*</ifModule>
# WPhtC: Setting mod_deflate<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678]-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary</IfModule>

Beyond this one there are some plugins I haven tried but that are focused on security and that interact with .htaccess - you might try them each just to see what they do to the .htaccess file:

• WP Super Secure and Fast htaccess ( also )
• BulletProof Security
• Silence is Golden Guard
• WP-BlockYou
• Stealth Login
• HTTP Authentication
• AskApache Password Protect

Beyond that, if you want to know the (IMO) #1 expert resource on Apache security related to WordPress you can find it on AskApache.com ; dude is hardcore! His blog won solve your " too much information " problem but at least you can view it as an authoritative resource!

Here are some examples (thought all are directly WordPress related they all are applicable):

• Advanced WordPress wp-config.php Tweaks
• Example .htaccess for WordPress
• Advanced WordPress 404
• Mod_Security .htaccess tricks
• .htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog

Anyway, hope this helps.