I have two .htaccess files: In the web site base folder and one in wp-admin to stop access to it.
base folder : You can add Options – Indexes to stop browsing.
WP-Admin folder: I add
Require ip for both ipv4 and ipv6. I add my workstation, server that hosts the web site, external addresses that I might use. You also add these into /etc/hosts or your Windows hosts file.