I came op with an idea to improve my Wordpress security.
The loginpage is always /wp-admin. So that's easy for hackers. I know you can block al the calls to /wp-admin except from your own IP adress. But that's often not a solution because you want to be able to upload posts etc. from everewhere, not just home.
Is it not a solution to block /wp-admin except if the call is made from let say /secretlogin. And you let /secretlogin redirect to wp-admin. Will this work? If yes, how do I manage this with htaccess?
You can do that with .htaccess:
RewriteCond %{HTTP_REFERER} !^https?://www\.your_domain\.com/ [NC]
RewriteCond %{REQUEST_URI} ^/wp-admin [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-login\.php [NC]
RewriteRule ^ /homepage.htm [R=302,L]
Finally I used your method is easier to add. You need to use a link from your /secretlogin page.