11
Yes, using a range of IPs would help. Unless a hacker happens to be in the same range.

Here's the entry in my .htaccess file that password-protects admin.php:
<Files "admin.php">
AuthType Basic
AuthName "Whatever"
AuthUserFile /path/to/your/password/file
require valid-user
Files>
The .htaccess file is located in the top-level XOOPS directory.
The password file is created/updated with the Apache htpasswd command.