I have a static IP and always like to lock down admin access to my own IP using htaccess. Everyone else gets a 403 page. Took a while to work out how to do this with Grav, so posting here in case others need it as well.
This needs to go after RewriteEngine On in the main htaccess file.
RewriteCond %{REQUEST_URI} ^/admin
RewriteCond %{REMOTE_ADDR} !=aa.bb.cc.dd
RewriteRule ^(.*)$ - [R=403,L]
You can define multiple allowed IP addresses by adding extra lines. And obviously if you have renamed the admin path in the config then use that instead.