Securing wp-admin folder – Purpose? Importance?

I am trying to understand how to secure a WordPress site. One security task I do not understand is…How important is it to protect the “wp-admin folder”? For example, I would consider limit login attempts to be highly important.

What is the purpose of protecting wp-admin folder? Is it to prevent a hacker from getting into your WordPress dashboard? But if you protect wp-login.php, how would a hacker even get into the dashboard anyways?

<Files wp-login.php>
order deny,allow
deny from all
allow from xxx.xxx.x.x
</Files>

If you use “Code A” will you also need to whitelist frontend AJAX functionality, and whitelist install.css ?

“Code A” – Limit Access to wp-admin folder

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xxx
</LIMIT>

.
.
How does “Code A” compare to “Code B”? Would you use one or the other, or both at the same time?
.

“Code B” – Securing wp-admin Directory

1   # enable basic authentication
2   AuthType Basic
3   # this text is displayed in the login dialog
4   AuthName “Restricted Area”
5   # The absolute path of the Apache htpasswd file. You should edit this
6   AuthUserFile /path/to/.htpasswd
7   # Allows any user in the .htpasswd file to access the directory
8   require valid-user




Allow front end Ajax functionality


Some WordPress plugins use Ajax functionality in WordPress.  
This means that such plugins might need access to the file admin-ajax.php  
To allow anonymous access to such file for the WordPress plugins to function,  
add the below to .htaccess  

1   <Files admin-ajax.php>
2       Order allow,deny
3       Allow from all
4       Satisfy any
5   </Files>



Update: /wp-admin/css/install.css is also sometimes needed on the frontend,  
you should whitelist that as well. Here's the necessary configuration 
to whitelist a file in a password protected location in lighttpd:


$HTTP["url"] =~ "^\/wp-admin\/.*" {
    $HTTP["url"] !~ "^\/wp-admin\/(admin-ajax\.php|css\/.*)" {
        auth.require = (
            "" => (
                "method" => "basic",
                "realm" => "Password protected area",
                "require" => "user=theuser",
            ),
        ),
    },
},

But if you protect wp-login.php, how would a hacker even get into the dashboard anyways?

An attacker could try to hijack or forge a valid authentication cookie. Recently there was a possibly vulnerability which made it »easier« to forge such a cookie: CVE-2014-0166 It was fixed with Version 3.7.3/3.8.3

How does “Code A” compare to “Code B”? Would you use one or the other, or both at the same time?

If you whitelist wp-admin/admin-ajax.php (like in »Code B«) this script could still act as contact point for an attacker to verify his cookie forgery and, on a success, as an entry point to manipulate data for each ajax-action which is not secured by a additional nonce. But even these could, theoretical, be guessed.

However, if you don’t need AJAX functionality for the public and have the possibility to whitelist all IPs for all your accounts, securing the wp-admin/ directory would reduce possible attacking vectors like described above.

But these method doesn’t protect your site from man-in-the-middle attacks or attacks by infected client computers, because those would pass the whitelist check.

Finally let me give you a personal classification to your first querstion:

How important is it to protect the “wp-admin folder”?

In my opinion it is more important to use safe passwords (maybe two factor authentication), safe secret keys (salts in wp-config.php) and, if possible, always a https connection when you administrate your WordPress, from the first request on (request https://…/wp-login.php). Also keep every component up to date and remove unused components (Plugin/Theme) from server. After that, you can still consider to protect the wp-admin directory.