Best practices around admin access in production mode?

What are the best practices for admin access for editors in production mode?
For a given site. Should be accessible from outside or what are the guidelines to this?

Thanks in advance

Beyond always using https and using an IdProvider your feel is suitable there is no “best practice” in this area - only business security policies. If you are worried about people easily finding your admin then /admin is probably a bad solution, otherwise it is up to you. Big XP customers typically place their admin behind some VPN / only expose it internally.