There are a lot of ways to protect and lock down subdomains, folders, and even specific files. The preferred, reliable, and easiest way to do this is using .htaccess and .htpasswd files.

Block All, Except IPs you set

Order Deny,Allow 
Deny from all
Allow from 111.222.333.444   # Single IP
Allow from 111.222.333.0/99  # Range from .0 to .99

Set a Username and Password

To set a login and block everything else on a folder or subdomain, you need two files.

.htaccess tells us what type of Authentication and where to look for it.

.htpasswd stores the username and password the .htaccess looks for. It can also store multiples if you want to give users their own unique login.

.htaccess file:

AuthType Basic
AuthName "Protected"
AuthUserFile /my/path/to/.htpasswd
Require valid-user

.htpasswd file:

here is an example of username: user, password: password

user:$apr1$ZuZXm5r4$UqiQ7QOz.kc47U/HTVNWa0

You’ll need to generate your password for these, I recommend the generator from htaccesstools.com

Further Reading

You can do a lot with .htaccess, if you want to dive deeper here are some links:

• Apache Docs
• stackoverflow comment on Order Deny,Allow