UPDATE: When I first posted my answer I missed the crux of the question; my answer was about .htaccess security in general and is now listed below the double line (look down if it interests you.) Unfortunately I don’t have specific experience with securing /wp-admin/ using .htaccess so I’ll simply list the two resources I will pursue when and if I need it:
The first one recommends the following (and here is some discussion about it.)
<Files ~ "\.(php)$">
AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
</Files>
The latter has lots of information, especially in the comments, but admittedly providing you a list to read is not the answer you were looking for.
Sorry I couldn’t have been more helpful on this one.
========================================
Typically WordPress only has the following which handled permalink processing and is not related to security:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Recently I’ve found the WP htacess Control plugin that manages a lot of .htaccess for you and I rather like it a lot. After tweaking it’s settings it added the following options:
# WPhtC: Disable ServerSignature on generated error pages
ServerSignature Off
# WPhtC: Disable directory browsing
Options All -Indexes
# WPhtC: Protect WP-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
It also added these options which are about performance instead of security:
# WPhtC: Setting mod_gzip
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>
# WPhtC: Setting mod_deflate
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary
</IfModule>
Beyond this one there are some plugins I haven’t tried but that are focused on security and that interact with .htaccess – you might try them each just to see what they do to the .htaccess file:
- WP Super Secure and Fast htaccess (also)
- BulletProof Security
- Silence is Golden Guard
- WP-BlockYou
- Stealth Login
- HTTP Authentication
- AskApache Password Protect
Beyond that, if you want to know the (IMO) #1 expert resource on Apache security related to WordPress you can find it on AskApache.com; dude is hardcore! His blog won’t solve your “too much information” problem but at least you can view it as an authoritative resource!
Here are some examples (though not all are directly WordPress related they all are applicable):
- Advanced WordPress wp-config.php Tweaks
- Example .htaccess for WordPress
- Advanced WordPress 404
- Mod_Security .htaccess tricks
- .htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog
Anyway, hope this helps.