Logging in to WordPress is at the application level. You can also have a server login before getting to WordPress. This 2-step login makes your site much more secure.
Once you know how, adding this server login is actually quite easy to do.
Unlike plugins that might change parts of WordPress itself, this doesn’t change anything about WordPress; this uses the server’s security, so only people you say are permitted to execute programs.
The most important folder to protect is wp-admin/ since it has, obviously, all the administrative programs for WordPress. Or, you can protect the wp-login.php file.
One essential step is generating an encrypted version of the password you want to use. Then you have to know where to install the encrypted password, and how to tell your server to require the password for the files you want to protect.
See my .htpassword tool for instructions and an easy way to generate the encrypted password your server would use.