I thought I might restrict it to show only on some IPs, but I have some freelance workers without static IPs that should be able to login to admin site. I rolled out a big proje
If you are running it behind apache you can use one of its many modules for HTTP authentication (there are similar modules for other servers). This way the user can't even get to the login page without login in.
Another option would be to block all access from remote URL's and require users to use a VPN to access the admin pages. (I think this would be too big of a hassle)
We have a site where the admin interface is on a separate domain, it doesn't hide anything but keeps them separate.
We're wrestling with this question right now. We initially restricted access by IPs however (after client signoff) were asked to turn off the restriction. We currently have digest auth on top of the admin. We're considering login attempt throttling and minimum password strength requirements. I believe these would be relevant protections as protecting the admin includes protection against poor password choices.
Time and budget permitting we may look at mod_security for many things, including IP address reputation (geolocation), blacklisting, and brute force attack detection.
1) Restrict by IP's. This may not be totally possible in your case but still you can look at allowing only few subnets, I don't think even though your users have dynamic IP's they most likely to get their IP's from same subnet if accessing on same network every time. This may reduce the risk of being open totally.
2) Change the default Admin URL to something non-obvious.