No need to tell you to use google captcha on all forms, but still people keep trying.
You can always find a plugin to get the job done, but manually you can do this too.
- Generate a .htpasswd file using htpasswd generator.
- Do not place this file in the same location as your .htaccess file, suggested one folder up
- Update .htaccess with folloing code
AuthName “Private access”
You can use the same method to keep away unwanted unauthorized traffic and SEO bots from your staging sites.