Dedicated IP VPN that you can login to from any comp.
before you get assigned IP after login VPN you have to go through 2FA via web browser (redirects * traffic to that 2FA screen before granting you access to network / IP that you can use to login ssh/ftp/url htaccess)

this way your actual site cannot be accessed without passing through 2FA first.

sounds like a good idea or horrible?

Woah… Idea time.

Using a paid VPN for restricted IP FTP/Admin Access..

Wonder if that would work.. In the same boat.

Not okay with using my home IP, worried if it gets switched or if I move or something..

no VPN would be under my control from a seperate server. thats where i would implement the 2FA shit before assigning IP to use to login with to site.

It sounds like a great idea. That’s why people have been doing it for years. It’s called using a private/public key with a VPN.

didnt know it existed

more info on setting this up?

Depends on your router. Generating the key is easy, but I’d suggest you install tomato wrt or dd-wrt, otherwise your stock router firmware is most likely going to be pretty limiting unless you have something like the Asus n66u.