IMHO this is not the best method of protecting your WP Admin. IPs can be spoofed. This method also restricts you to specific IPs which can be annoying if you wish to access it from a different office/location.
I’d recommend either a simple server-based password protection on the wp-admin directory. Of course, the downside is that this requires that you remember the password, or use a very secure web-based centralised password system and just remember one password for everything.
Read this for instructions:
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/
Best idea is 2 factor authentication though, ie. a password and then a SMS to your phone, or similar double-step process.
There’s no one single answer for everyone – but I believe that in most cases there has to be a balance between practicality and tight security.
If you really want to shut it down, deny all in htaccess, and then SSH into the server whenever you wish to change it to temporarily allow access from the specific IP you are using and change it back once you’re done – you could combine that with 2 factor auth and I’d doubt anything would ever get through.
Brute force attacks often rely on sending direct POST requests to your wp-login.php, so requiring that your domain is the referrer for any POST requests can help stop bots.
Another way you can protect your WordPress site is by including a link to your login and then only allowing login requests from your domain name. (Replace example.com with your domain).
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>
And inhibiting access to xmlrpc.php can substantially reduce attacks, however some external services may be affected by this:
<Files ~ "xmlrpc.php">
Order allow,deny
Deny from all
</Files>