Roaming / Mobile Secure Admin access

Hi All, just general advice needed; I think but not sure if this is the right place?
I have 6 websites (5 of them add ons) on a shared hosting facility.
I use .htaccess in the root of “public_html” and the root of each domain to allow only my IP address (which rarely changes) to acesss the hidden backend. If I use my mobile phone or try to access the back end from another location, I get a 403 “access denied”, so that works 🙂 The sites use Ithemes security or Wordfence.

Question 1. Why do I get reports advising that someone has attempted to log in as “admin” or other Username. They should be getting a 403 and not even see the log in screen?

Question 2. I would now like to be able to access the hidden backend while I’m in other locations and it’s getting tedious amending .htaccess to enter new IP using CPanel. Is there a better and secure way that doesn’t involve using the IP address?

The only way I can think of is to not use .htaccess to deny from all but have some sort of “User List” with very hard passwords.

All comments appreciated but keep it clean 🙂

Regards

Jeff