You could also just stick it behind a reverse proxy with basic HTTP Authentication; that means you have to keep Apache/nginx/caddy/whatever up to date but that part is easy and then nothing else can get to the actual application if you've done it right.